crypt32: Only fail directory name comparison if a directory name constraint is present and doesn't match.
This commit is contained in:
parent
a63affe5e0
commit
1db8a6abda
|
@ -1011,7 +1011,7 @@ static void compare_subject_with_constraints(const CERT_NAME_BLOB *subjectName,
|
||||||
*/
|
*/
|
||||||
if (nameConstraints->cPermittedSubtree && !CRYPT_IsEmptyName(subjectName))
|
if (nameConstraints->cPermittedSubtree && !CRYPT_IsEmptyName(subjectName))
|
||||||
{
|
{
|
||||||
BOOL match = FALSE;
|
BOOL match = FALSE, hasDirectoryConstraint = FALSE;
|
||||||
|
|
||||||
for (i = 0; !match && i < nameConstraints->cPermittedSubtree; i++)
|
for (i = 0; !match && i < nameConstraints->cPermittedSubtree; i++)
|
||||||
{
|
{
|
||||||
|
@ -1019,10 +1019,13 @@ static void compare_subject_with_constraints(const CERT_NAME_BLOB *subjectName,
|
||||||
&nameConstraints->rgPermittedSubtree[i].Base;
|
&nameConstraints->rgPermittedSubtree[i].Base;
|
||||||
|
|
||||||
if (constraint->dwAltNameChoice == CERT_ALT_NAME_DIRECTORY_NAME)
|
if (constraint->dwAltNameChoice == CERT_ALT_NAME_DIRECTORY_NAME)
|
||||||
|
{
|
||||||
|
hasDirectoryConstraint = TRUE;
|
||||||
match = directory_name_matches(&constraint->u.DirectoryName,
|
match = directory_name_matches(&constraint->u.DirectoryName,
|
||||||
subjectName);
|
subjectName);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if (!match)
|
if (hasDirectoryConstraint && !match)
|
||||||
*trustErrorStatus |= CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
|
*trustErrorStatus |= CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue