crypt32: Microsoft fixed a bug with name constraints, so make Wine's behavior match.
This commit is contained in:
parent
4615b1c0b4
commit
25698f8938
|
@ -560,14 +560,13 @@ static void CRYPT_FindMatchingNameEntry(const CERT_ALT_NAME_ENTRY *constraint,
|
|||
DWORD errorIfFound, DWORD errorIfNotFound)
|
||||
{
|
||||
DWORD i;
|
||||
BOOL defined = FALSE, match = FALSE;
|
||||
BOOL match = FALSE;
|
||||
|
||||
for (i = 0; i < subjectName->cAltEntry; i++)
|
||||
{
|
||||
if (subjectName->rgAltEntry[i].dwAltNameChoice ==
|
||||
constraint->dwAltNameChoice)
|
||||
{
|
||||
defined = TRUE;
|
||||
switch (constraint->dwAltNameChoice)
|
||||
{
|
||||
case CERT_ALT_NAME_RFC822_NAME:
|
||||
|
@ -595,16 +594,6 @@ static void CRYPT_FindMatchingNameEntry(const CERT_ALT_NAME_ENTRY *constraint,
|
|||
}
|
||||
}
|
||||
}
|
||||
/* Microsoft's implementation of name constraint checking appears at odds
|
||||
* with RFC 3280:
|
||||
* According to MSDN, CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT is set
|
||||
* when a name constraint is present, but that name form is not defined in
|
||||
* the end certificate. According to RFC 3280, "if no name of the type is
|
||||
* in the certificate, the name is acceptable."
|
||||
* I follow Microsoft here.
|
||||
*/
|
||||
if (!defined)
|
||||
*trustErrorStatus |= CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT;
|
||||
*trustErrorStatus |= match ? errorIfFound : errorIfNotFound;
|
||||
}
|
||||
|
||||
|
@ -645,10 +634,6 @@ static void CRYPT_CheckNameConstraints(
|
|||
}
|
||||
else
|
||||
{
|
||||
/* See above comment on CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT.
|
||||
* I match Microsoft's implementation here as well.
|
||||
*/
|
||||
*trustErrorStatus |= CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT;
|
||||
if (nameConstraints->cPermittedSubtree)
|
||||
*trustErrorStatus |=
|
||||
CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
|
||||
|
|
|
@ -1352,8 +1352,7 @@ static CONST_DATA_BLOB chain5[] = {
|
|||
};
|
||||
static const CERT_TRUST_STATUS elementStatus5[] = {
|
||||
{ CERT_TRUST_NO_ERROR, CERT_TRUST_HAS_NAME_MATCH_ISSUER },
|
||||
{ CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT |
|
||||
CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT |
|
||||
{ CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT |
|
||||
CERT_TRUST_IS_UNTRUSTED_ROOT,
|
||||
CERT_TRUST_HAS_NAME_MATCH_ISSUER | CERT_TRUST_IS_SELF_SIGNED },
|
||||
};
|
||||
|
@ -1512,8 +1511,7 @@ static ChainCheck chainCheck[] = {
|
|||
1, simpleStatus4 }, 0 },
|
||||
{ { sizeof(chain5) / sizeof(chain5[0]), chain5 },
|
||||
{ { 0, CERT_TRUST_HAS_PREFERRED_ISSUER },
|
||||
{ CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT |
|
||||
CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT |
|
||||
{ CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT |
|
||||
CERT_TRUST_IS_UNTRUSTED_ROOT, 0 }, 1, simpleStatus5 }, 0 },
|
||||
{ { sizeof(chain6) / sizeof(chain6[0]), chain6 },
|
||||
{ { 0, CERT_TRUST_HAS_PREFERRED_ISSUER },
|
||||
|
|
Loading…
Reference in New Issue