crypt32: Trace reasons for name constraint failure.

2009-11-17 14:06:44 -08:00 · 2009-11-17 14:06:44 -08:00 · d6958d7660
parent 1db8a6abda
commit d6958d7660
1 changed files with 22 additions and 0 deletions
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@ -849,15 +849,23 @@ static void compare_alt_name_with_constraints(const CERT_EXTENSION *altNameExt,
            if (alt_name_matches_excluded_name(
             &subjectAltName->rgAltEntry[i], nameConstraints,
             trustErrorStatus))
+            {
+                TRACE_(chain)("subject alternate name form %d excluded\n",
+                 subjectAltName->rgAltEntry[i].dwAltNameChoice);
                *trustErrorStatus |=
                 CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
+            }
            nameFormPresent = FALSE;
            if (!alt_name_matches_permitted_name(
             &subjectAltName->rgAltEntry[i], nameConstraints,
             trustErrorStatus, &nameFormPresent) && nameFormPresent)
+            {
+                TRACE_(chain)("subject alternate name form %d not permitted\n",
+                 subjectAltName->rgAltEntry[i].dwAltNameChoice);
                *trustErrorStatus |=
                 CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
            }
+        }
        LocalFree(subjectAltName);
    }
    else
@ -934,15 +942,23 @@ static void compare_subject_with_email_constraints(
                    if (rfc822_attr_matches_excluded_name(
                     &name->rgRDN[i].rgRDNAttr[j], nameConstraints,
                     trustErrorStatus))
+                    {
+                        TRACE_(chain)(
+                         "email address in subject name is excluded\n");
                        *trustErrorStatus |=
                         CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
+                    }
                    nameFormPresent = FALSE;
                    if (!rfc822_attr_matches_permitted_name(
                     &name->rgRDN[i].rgRDNAttr[j], nameConstraints,
                     trustErrorStatus, &nameFormPresent) && nameFormPresent)
+                    {
+                        TRACE_(chain)(
+                         "email address in subject name is not permitted\n");
                        *trustErrorStatus |=
                         CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
                    }
+                }
        LocalFree(name);
    }
    else
@ -1000,9 +1016,12 @@ static void compare_subject_with_constraints(const CERT_NAME_BLOB *subjectName,

        if (constraint->dwAltNameChoice == CERT_ALT_NAME_DIRECTORY_NAME &&
         directory_name_matches(&constraint->u.DirectoryName, subjectName))
+        {
+            TRACE_(chain)("subject name is excluded\n");
            *trustErrorStatus |=
             CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
        }
+    }
    /* RFC 5280, section 4.2.1.10:
     * "Restrictions apply only when the specified name form is present.
     *  If no name of the type is in the certificate, the certificate is
@ -1026,9 +1045,12 @@ static void compare_subject_with_constraints(const CERT_NAME_BLOB *subjectName,
            }
        }
        if (hasDirectoryConstraint && !match)
+        {
+            TRACE_(chain)("subject name is not permitted\n");
            *trustErrorStatus |= CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;
        }
    }
+}

 static void CRYPT_CheckNameConstraints(
 const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, const CERT_INFO *cert,