crypt32: Partially implement checking name constraints with directory names.

2009-11-17 11:25:13 -08:00 · 2009-11-17 11:25:13 -08:00 · f6d3348b7c
parent 7c44544a6d
commit f6d3348b7c
1 changed files with 25 additions and 0 deletions
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@ -720,6 +720,28 @@ static BOOL ip_address_matches(const CRYPT_DATA_BLOB *constraint,
    return match;
 }

+static BOOL directory_name_matches(const CERT_NAME_BLOB *constraint,
+ const CERT_NAME_BLOB *name)
+{
+    CERT_NAME_INFO *constraintName;
+    DWORD size;
+    BOOL match = FALSE;
+
+    if (CryptDecodeObjectEx(X509_ASN_ENCODING, X509_NAME, constraint->pbData,
+     constraint->cbData, CRYPT_DECODE_ALLOC_FLAG, NULL, &constraintName, &size))
+    {
+        DWORD i;
+
+        match = TRUE;
+        for (i = 0; match && i < constraintName->cRDN; i++)
+            match = CertIsRDNAttrsInCertificateName(X509_ASN_ENCODING,
+             CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG,
+             (CERT_NAME_BLOB *)name, &constraintName->rgRDN[i]);
+        LocalFree(constraintName);
+    }
+    return match;
+}
+
 static BOOL alt_name_matches(const CERT_ALT_NAME_ENTRY *name,
 const CERT_ALT_NAME_ENTRY *constraint, DWORD *trustErrorStatus)
 {
@ -746,6 +768,9 @@ static BOOL alt_name_matches(const CERT_ALT_NAME_ENTRY *name,
             &name->u.IPAddress, trustErrorStatus);
            break;
        case CERT_ALT_NAME_DIRECTORY_NAME:
+            match = directory_name_matches(&constraint->u.DirectoryName,
+             &name->u.DirectoryName);
+            break;
        default:
            ERR("name choice %d unsupported in this context\n",
             constraint->dwAltNameChoice);