From 300d5fe5c4500f9fdd579ebdab7b3a7a8db1d65d Mon Sep 17 00:00:00 2001 From: Juan Lang Date: Tue, 10 Nov 2009 14:40:01 -0800 Subject: [PATCH] crypt32: Correct error when a matching name constraint is found. --- dlls/crypt32/chain.c | 3 +-- dlls/crypt32/tests/chain.c | 27 +++++++++++++++++---------- 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c index a6fc9ff65b5..54bff756460 100644 --- a/dlls/crypt32/chain.c +++ b/dlls/crypt32/chain.c @@ -698,8 +698,7 @@ static void CRYPT_CheckNameConstraints( for (i = 0; i < nameConstraints->cPermittedSubtree; i++) CRYPT_FindMatchingNameEntry( &nameConstraints->rgPermittedSubtree[i].Base, subjectName, - trustErrorStatus, - CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT, + trustErrorStatus, 0, CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT); LocalFree(subjectName); } diff --git a/dlls/crypt32/tests/chain.c b/dlls/crypt32/tests/chain.c index 2209e1fbbee..00adab60110 100644 --- a/dlls/crypt32/tests/chain.c +++ b/dlls/crypt32/tests/chain.c @@ -2444,7 +2444,7 @@ static CONST_DATA_BLOB chain19[] = { }; static const CERT_TRUST_STATUS elementStatus19[] = { { CERT_TRUST_NO_ERROR, CERT_TRUST_HAS_NAME_MATCH_ISSUER }, - { CERT_TRUST_IS_UNTRUSTED_ROOT | CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT, + { CERT_TRUST_IS_UNTRUSTED_ROOT, CERT_TRUST_IS_SELF_SIGNED | CERT_TRUST_HAS_NAME_MATCH_ISSUER }, }; static const SimpleChainStatusCheck simpleStatus19[] = { @@ -2469,7 +2469,7 @@ static CONST_DATA_BLOB chain21[] = { }; static const CERT_TRUST_STATUS elementStatus21[] = { { CERT_TRUST_NO_ERROR, CERT_TRUST_HAS_NAME_MATCH_ISSUER }, - { CERT_TRUST_IS_UNTRUSTED_ROOT | CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT, + { CERT_TRUST_IS_UNTRUSTED_ROOT, CERT_TRUST_IS_SELF_SIGNED | CERT_TRUST_HAS_NAME_MATCH_ISSUER }, }; static const SimpleChainStatusCheck simpleStatus21[] = { @@ -2725,11 +2725,17 @@ static ChainCheck chainCheck[] = { { CERT_TRUST_IS_UNTRUSTED_ROOT | CERT_TRUST_IS_NOT_VALID_FOR_USAGE, 0 }, 1, simpleStatus18 }, 0 }, + /* Older versions of crypt32 set CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT + * even though the constraint and alt name match. + * They also do not set CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS, since they + * incorrectly find a name constraint error. + */ { { sizeof(chain19) / sizeof(chain19[0]), chain19 }, - { { CERT_TRUST_IS_NOT_TIME_NESTED | CERT_TRUST_IS_NOT_VALID_FOR_USAGE, - CERT_TRUST_HAS_PREFERRED_ISSUER }, - { CERT_TRUST_IS_UNTRUSTED_ROOT | - CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT, 0 }, + { { CERT_TRUST_IS_NOT_TIME_NESTED | CERT_TRUST_IS_NOT_VALID_FOR_USAGE | + CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT, + CERT_TRUST_HAS_PREFERRED_ISSUER | CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS + }, + { CERT_TRUST_IS_UNTRUSTED_ROOT, 0 }, 1, simpleStatus19 }, 0 }, { { sizeof(chain20) / sizeof(chain20[0]), chain20 }, @@ -2741,10 +2747,11 @@ static ChainCheck chainCheck[] = { 1, simpleStatus20 }, TODO_ERROR }, { { sizeof(chain21) / sizeof(chain21[0]), chain21 }, - { { CERT_TRUST_IS_NOT_TIME_NESTED | CERT_TRUST_IS_NOT_VALID_FOR_USAGE, - CERT_TRUST_HAS_PREFERRED_ISSUER }, - { CERT_TRUST_IS_UNTRUSTED_ROOT | - CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT, 0 }, + { { CERT_TRUST_IS_NOT_TIME_NESTED | CERT_TRUST_IS_NOT_VALID_FOR_USAGE | + CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT, + CERT_TRUST_HAS_PREFERRED_ISSUER | CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS + }, + { CERT_TRUST_IS_UNTRUSTED_ROOT, 0 }, 1, simpleStatus21 }, 0 }, { { sizeof(chain22) / sizeof(chain22[0]), chain22 },