system/wine
system/wine
1
0
Fork 0
mirror of git://source.winehq.org/git/wine.git synced 2024-11-05 18:01:34 +00:00
Code Issues Projects Releases Packages Wiki Activity

crypt32: Microsoft fixed a bug with name constraints, so make Wine's behavior match.

Browse source
This commit is contained in:
Juan Lang 2008-10-16 16:42:46 -07:00 committed by Alexandre Julliard
parent 4615b1c0b4
commit 25698f8938
2 changed files with 3 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
dlls/crypt32/chain.c
View file

@ -560,14 +560,13 @@ static void CRYPT_FindMatchingNameEntry(const CERT_ALT_NAME_ENTRY *constraint,
DWORD errorIfFound, DWORD errorIfNotFound) DWORD errorIfFound, DWORD errorIfNotFound)
{ {
DWORD i; DWORD i;
BOOL defined = FALSE, match = FALSE; BOOL match = FALSE;
for (i = 0; i < subjectName->cAltEntry; i++) for (i = 0; i < subjectName->cAltEntry; i++)
{ {
if (subjectName->rgAltEntry[i].dwAltNameChoice == if (subjectName->rgAltEntry[i].dwAltNameChoice ==
constraint->dwAltNameChoice) constraint->dwAltNameChoice)
{ {
defined = TRUE;
switch (constraint->dwAltNameChoice) switch (constraint->dwAltNameChoice)
{ {
case CERT_ALT_NAME_RFC822_NAME: case CERT_ALT_NAME_RFC822_NAME:
@ -595,16 +594,6 @@ static void CRYPT_FindMatchingNameEntry(const CERT_ALT_NAME_ENTRY *constraint,
} }
} }
} }
/* Microsoft's implementation of name constraint checking appears at odds
* with RFC 3280:
* According to MSDN, CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT is set
* when a name constraint is present, but that name form is not defined in
* the end certificate. According to RFC 3280, "if no name of the type is
* in the certificate, the name is acceptable."
* I follow Microsoft here.
*/
if (!defined)
*trustErrorStatus |= CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT;
*trustErrorStatus |= match ? errorIfFound : errorIfNotFound; *trustErrorStatus |= match ? errorIfFound : errorIfNotFound;
} }
@ -645,10 +634,6 @@ static void CRYPT_CheckNameConstraints(
} }
else else
{ {
/* See above comment on CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT.
* I match Microsoft's implementation here as well.
*/
*trustErrorStatus |= CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT;
if (nameConstraints->cPermittedSubtree) if (nameConstraints->cPermittedSubtree)
*trustErrorStatus |= *trustErrorStatus |=
CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT; CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT;

6
dlls/crypt32/tests/chain.c
View file

@ -1352,8 +1352,7 @@ static CONST_DATA_BLOB chain5[] = {
}; };
static const CERT_TRUST_STATUS elementStatus5[] = { static const CERT_TRUST_STATUS elementStatus5[] = {
{ CERT_TRUST_NO_ERROR, CERT_TRUST_HAS_NAME_MATCH_ISSUER }, { CERT_TRUST_NO_ERROR, CERT_TRUST_HAS_NAME_MATCH_ISSUER },
{ CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT | { CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT |
CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT |
CERT_TRUST_IS_UNTRUSTED_ROOT, CERT_TRUST_IS_UNTRUSTED_ROOT,
CERT_TRUST_HAS_NAME_MATCH_ISSUER | CERT_TRUST_IS_SELF_SIGNED }, CERT_TRUST_HAS_NAME_MATCH_ISSUER | CERT_TRUST_IS_SELF_SIGNED },
}; };
@ -1512,8 +1511,7 @@ static ChainCheck chainCheck[] = {
1, simpleStatus4 }, 0 }, 1, simpleStatus4 }, 0 },
{ { sizeof(chain5) / sizeof(chain5[0]), chain5 }, { { sizeof(chain5) / sizeof(chain5[0]), chain5 },
{ { 0, CERT_TRUST_HAS_PREFERRED_ISSUER }, { { 0, CERT_TRUST_HAS_PREFERRED_ISSUER },
{ CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT | { CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT |
CERT_TRUST_HAS_NOT_PERMITTED_NAME_CONSTRAINT |
CERT_TRUST_IS_UNTRUSTED_ROOT, 0 }, 1, simpleStatus5 }, 0 }, CERT_TRUST_IS_UNTRUSTED_ROOT, 0 }, 1, simpleStatus5 }, 0 },
{ { sizeof(chain6) / sizeof(chain6[0]), chain6 }, { { sizeof(chain6) / sizeof(chain6[0]), chain6 },
{ { 0, CERT_TRUST_HAS_PREFERRED_ISSUER }, { { 0, CERT_TRUST_HAS_PREFERRED_ISSUER },