Commit graph

125 commits

Author SHA1 Message Date
Juan Lang
e4c03521ac crypt32: Apply name constraints to subject name. 2009-11-18 11:08:37 +01:00
Juan Lang
6f35ae25b8 crypt32: Use helper function to compare a subject alternate name with name constraints. 2009-11-18 11:08:32 +01:00
Juan Lang
a98dad4f93 crypt32: Only apply a name constraint if the name form is present. 2009-11-18 11:08:25 +01:00
Juan Lang
f6d3348b7c crypt32: Partially implement checking name constraints with directory names. 2009-11-18 11:08:20 +01:00
Juan Lang
7c44544a6d crypt32: Use helper functions to match excluded and permitted subtrees of name constraints. 2009-11-18 11:08:14 +01:00
Juan Lang
9a40de08de crypt32: Let caller set error codes when name constraints aren't met. 2009-11-18 11:08:08 +01:00
Juan Lang
f8044948ba crypt32: Remove an unnecessary if. 2009-11-18 11:08:01 +01:00
Juan Lang
8585203103 crypt32: Prohibit name constraints that contain neither an excluded nor a permitted subtree. 2009-11-18 11:07:53 +01:00
Juan Lang
1974e61b59 crypt32: Correctly match subdomains with dns name constraints. 2009-11-17 12:05:11 +01:00
Juan Lang
b74ef17efc crypt32: If a hostname in a URI or rfc822 name constraint doesn't begin with '.', a match must be exact. 2009-11-17 12:05:04 +01:00
Juan Lang
e82005fe2d crypt32: Only compare the hostname portion of a URL when checking against a name constraint. 2009-11-17 12:04:58 +01:00
Juan Lang
3c8a04f12f crypt32: Include name constraints errors in the chain's error status. 2009-11-17 12:04:52 +01:00
Juan Lang
f9ad32f0ad crypt32: Trace method used to find an issuer. 2009-11-17 12:04:46 +01:00
Juan Lang
f6c4824675 crypt32: Update a comment. 2009-11-16 11:34:04 +01:00
Juan Lang
c4b997bab3 crypt32: Set CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS when a certificate's name constraints are met. 2009-11-16 11:33:58 +01:00
Juan Lang
21ecc84620 crypt32: Accept any matching dNSName in a subject alternate name. 2009-11-13 11:52:25 +01:00
Juan Lang
b91d0c8bde crypt32: Implement matching a certificate with a wildcard in its name. 2009-11-13 11:52:24 +01:00
Juan Lang
300d5fe5c4 crypt32: Correct error when a matching name constraint is found. 2009-11-11 10:55:44 +01:00
Juan Lang
bdbee82c42 crypt32: Trace cert version. 2009-11-11 10:54:38 +01:00
Juan Lang
7eb33b18da crypt32: Update a comment to reflect a fixed vulnerability. 2009-11-11 10:53:56 +01:00
Juan Lang
ee02d43731 crypt32: Correct error when a constrained, permitted name type isn't found in the subject name. 2009-11-10 13:08:31 +01:00
Juan Lang
2503e9ec73 crypt32: Use helper function to find the subject alternate name extension wherever it's needed. 2009-11-10 13:08:26 +01:00
Juan Lang
ae6e884142 crypt32: Correct error when the subject alternate name can't be decoded. 2009-11-10 13:08:20 +01:00
Juan Lang
865f3df35b crypt32: Check the issued certificate for name constraint violations, not the issuing certificate. 2009-11-10 13:08:14 +01:00
Juan Lang
216df7a714 crypt32: Reject certificates whose fields don't match their versions. 2009-11-10 13:07:07 +01:00
Juan Lang
9fe6be454f crypt32: Forbid minimum or maximum fields in name constraints. 2009-11-10 13:07:00 +01:00
Juan Lang
5274777b1c crypt32: Permit lack of basic constraints extension on root certificates. 2009-11-09 19:34:36 +01:00
Juan Lang
d94e4d315a crypt32: Permit lack of key usage extension on root certificates.
This reverts 60770fb011, although it
updates the comments to give a reason.  Thanks to Matt Van Gundy for
pointing it out to me.
2009-11-09 19:34:32 +01:00
Juan Lang
d6795bd908 crypt32: Trace contents of CERT_CHAIN_PARA. 2009-11-03 21:17:34 +01:00
Juan Lang
9750d0f7f5 crypt32: Trace policy error status in CertVerifyCertificateChainPolicy. 2009-10-30 11:32:09 +01:00
Juan Lang
07b735682b crypt32: Check CA certificates for the enhanced key usage extension. 2009-10-30 11:26:39 +01:00
Juan Lang
60770fb011 crypt32: Only permit v1 or v2 CA certificates without a key usage extension if they're installed locally. 2009-10-30 11:26:30 +01:00
Juan Lang
7b0297769d crypt32: Use a helper function to find an existing cert by hash. 2009-10-30 11:26:21 +01:00
Juan Lang
33a6235053 crypt32: Only permit v1 or v2 CA certificates without a basic constraints extension if they're installed locally. 2009-10-30 11:26:06 +01:00
Juan Lang
552fec4002 crypt32: Add basic constraints to chain quality selection algorithm. 2009-10-30 11:24:23 +01:00
Juan Lang
c310637f4f crypt32: Remove redundant if clause. 2009-10-30 11:24:10 +01:00
Juan Lang
9059892ec1 crypt32: Implement CertVerifyCertificateChainPolicy for CERT_CHAIN_POLICY_SSL. 2009-10-29 13:07:53 +01:00
Juan Lang
24399bd359 crypt32: Support IPv6 addresses in name constraint comparison. 2009-10-29 13:07:20 +01:00
Juan Lang
bcb4bc6be3 crypt32: Trace netscape cert type extension. 2009-10-29 13:07:14 +01:00
Juan Lang
d664edb322 crypt32: Trace directory name of alt name entries. 2009-10-29 13:07:08 +01:00
Juan Lang
6a575d697e crypt32: Accept either the subject alt name 2 or subject alt name extensions, and prefer the former when both are present. 2009-10-29 13:06:56 +01:00
Juan Lang
1e953ef12e crypt32: Trace the alt name extensions. 2009-10-29 13:06:49 +01:00
Juan Lang
bf42ce9c90 crypt32: Trace name constraints extension. 2009-10-29 13:06:42 +01:00
Juan Lang
777ea81c48 crypt32: Trace cert policies extension. 2009-10-29 13:06:35 +01:00
Juan Lang
994d7ed40d crypt32: Trace enhanced key usage extension. 2009-10-29 13:06:25 +01:00
Juan Lang
cf9491a5a3 crypt32: Move tracing of key usage extension to common extension tracing location. 2009-10-26 11:16:54 +01:00
Juan Lang
7fa618aa8e crypt32: Check key usage during chain validation. 2009-10-21 16:21:53 +02:00
Juan Lang
cbabc9d689 crypt32: Get CA flag from basic constraints extension of every cert in the chain. 2009-10-21 16:21:40 +02:00
Juan Lang
f348e3feb7 crypt32: Check basic constraints extension for end certs too. 2009-10-21 16:21:36 +02:00
Juan Lang
87405ade02 crypt32: Add a safe default for unsupported critical extensions. 2009-10-20 13:46:55 +02:00