From 6f35ae25b8043b0b6200b347847d05ee1b0d7c30 Mon Sep 17 00:00:00 2001 From: Juan Lang Date: Tue, 17 Nov 2009 12:19:46 -0800 Subject: [PATCH] crypt32: Use helper function to compare a subject alternate name with name constraints. --- dlls/crypt32/chain.c | 83 ++++++++++++++++++++++++++++------------------------ 1 file changed, 44 insertions(+), 39 deletions(-) diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c index 8c7ad5bfcb3..14e716a1334 100644 --- a/dlls/crypt32/chain.c +++ b/dlls/crypt32/chain.c @@ -823,53 +823,58 @@ static inline PCERT_EXTENSION get_subject_alt_name_ext(const CERT_INFO *cert) return ext; } -static void CRYPT_CheckNameConstraints( - const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, const CERT_INFO *cert, - DWORD *trustErrorStatus) +static void compare_alt_name_with_constraints(const CERT_EXTENSION *altNameExt, + const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus) { - CERT_EXTENSION *ext = get_subject_alt_name_ext(cert); + CERT_ALT_NAME_INFO *subjectAltName; + DWORD size; - if (ext) + if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ALTERNATE_NAME, + altNameExt->Value.pbData, altNameExt->Value.cbData, + CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL, + &subjectAltName, &size)) { - CERT_ALT_NAME_INFO *subjectName; - DWORD size; + DWORD i; - if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_ALTERNATE_NAME, - ext->Value.pbData, ext->Value.cbData, - CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG, NULL, - &subjectName, &size)) + for (i = 0; i < subjectAltName->cAltEntry; i++) { - DWORD i; - - for (i = 0; i < subjectName->cAltEntry; i++) - { - BOOL nameFormPresent; - - /* A name constraint only applies if the name form is present. - * From RFC 5280, section 4.2.1.10: - * "Restrictions apply only when the specified name form is - * present. If no name of the type is in the certificate, - * the certificate is acceptable." - */ - if (alt_name_matches_excluded_name( - &subjectName->rgAltEntry[i], nameConstraints, - trustErrorStatus)) - *trustErrorStatus |= - CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT; - nameFormPresent = FALSE; - if (!alt_name_matches_permitted_name( - &subjectName->rgAltEntry[i], nameConstraints, - trustErrorStatus, &nameFormPresent) && nameFormPresent) - *trustErrorStatus |= - CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT; - } - LocalFree(subjectName); + BOOL nameFormPresent; + + /* A name constraint only applies if the name form is present. + * From RFC 5280, section 4.2.1.10: + * "Restrictions apply only when the specified name form is + * present. If no name of the type is in the certificate, + * the certificate is acceptable." + */ + if (alt_name_matches_excluded_name( + &subjectAltName->rgAltEntry[i], nameConstraints, + trustErrorStatus)) + *trustErrorStatus |= + CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT; + nameFormPresent = FALSE; + if (!alt_name_matches_permitted_name( + &subjectAltName->rgAltEntry[i], nameConstraints, + trustErrorStatus, &nameFormPresent) && nameFormPresent) + *trustErrorStatus |= + CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT; } - else - *trustErrorStatus |= - CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_NAME_CONSTRAINTS; + LocalFree(subjectAltName); } else + *trustErrorStatus |= + CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_NAME_CONSTRAINTS; +} + +static void CRYPT_CheckNameConstraints( + const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, const CERT_INFO *cert, + DWORD *trustErrorStatus) +{ + CERT_EXTENSION *ext = get_subject_alt_name_ext(cert); + + if (ext) + compare_alt_name_with_constraints(ext, nameConstraints, + trustErrorStatus); + else { if (nameConstraints->cPermittedSubtree) *trustErrorStatus |= -- 2.11.4.GIT