marko10_000
/
wine-wine
forked from Mirrors/wine-wine
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

crypt32: Prohibit name constraints that contain neither an excluded nor a permitted subtree.

oldstable
Juan Lang 2009-11-16 17:55:23 -08:00 committed by Alexandre Julliard
parent e77e9e45aa
commit 8585203103
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
dlls/crypt32/chain.c
View File

@ -850,6 +850,17 @@ static BOOL CRYPT_IsValidNameConstraint(const CERT_NAME_CONSTRAINTS_INFO *info)
DWORD i;
BOOL ret = TRUE;
/* Make sure at least one permitted or excluded subtree is present. From
* RFC 5280, section 4.2.1.10:
* "Conforming CAs MUST NOT issue certificates where name constraints is an
* empty sequence. That is, either the permittedSubtrees field or the
* excludedSubtrees MUST be present."
*/
if (!info->cPermittedSubtree && !info->cExcludedSubtree)
{
WARN_(chain)("constraints contain no permitted nor excluded subtree\n");
ret = FALSE;
}
/* Check that none of the constraints specifies a minimum or a maximum.
* See RFC 5280, section 4.2.1.10:
* "Within this profile, the minimum and maximum fields are not used with