crypt32: Forbid minimum or maximum fields in name constraints.

2024-11-05 18:01:34 +00:00 · 2009-11-06 13:56:09 -08:00 · 2009-11-06 13:56:09 -08:00 · 9fe6be454f
commit 9fe6be454f
parent e7404ba24f
1 changed files with 53 additions and 13 deletions
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@ -728,6 +728,40 @@ static CERT_NAME_CONSTRAINTS_INFO *CRYPT_GetNameConstraints(CERT_INFO *cert)
    return info;
 }

+static BOOL CRYPT_IsValidNameConstraint(const CERT_NAME_CONSTRAINTS_INFO *info)
+{
+    DWORD i;
+    BOOL ret = TRUE;
+
+    /* Check that none of the constraints specifies a minimum or a maximum.
+     * See RFC 5280, section 4.2.1.10:
+     * "Within this profile, the minimum and maximum fields are not used with
+     *  any name forms, thus, the minimum MUST be zero, and maximum MUST be
+     *  absent.  However, if an application encounters a critical name
+     *  constraints extension that specifies other values for minimum or
+     *  maximum for a name form that appears in a subsequent certificate, the
+     *  application MUST either process these fields or reject the
+     *  certificate."
+     * Since it gives no guidance as to how to process these fields, we
+     * reject any name constraint that contains them.
+     */
+    for (i = 0; ret && i < info->cPermittedSubtree; i++)
+        if (info->rgPermittedSubtree[i].dwMinimum ||
+         info->rgPermittedSubtree[i].fMaximum)
+        {
+            TRACE_(chain)("found a minimum or maximum in permitted subtrees\n");
+            ret = FALSE;
+        }
+    for (i = 0; ret && i < info->cExcludedSubtree; i++)
+        if (info->rgExcludedSubtree[i].dwMinimum ||
+         info->rgExcludedSubtree[i].fMaximum)
+        {
+            TRACE_(chain)("found a minimum or maximum in excluded subtrees\n");
+            ret = FALSE;
+        }
+    return ret;
+}
+
 static void CRYPT_CheckChainNameConstraints(PCERT_SIMPLE_CHAIN chain)
 {
    int i, j;
@ -750,6 +784,11 @@ static void CRYPT_CheckChainNameConstraints(PCERT_SIMPLE_CHAIN chain)

        if ((nameConstraints = CRYPT_GetNameConstraints(
         chain->rgpElement[i]->pCertContext->pCertInfo)))
+        {
+            if (!CRYPT_IsValidNameConstraint(nameConstraints))
+                chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
+                 CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT;
+            else
            {
                for (j = i - 1; j >= 0; j--)
                {
@ -768,6 +807,7 @@ static void CRYPT_CheckChainNameConstraints(PCERT_SIMPLE_CHAIN chain)
                         errorStatus;
                    }
                }
+            }
            LocalFree(nameConstraints);
        }
    }