Module: wine Branch: master Commit: 8585203103bf29192af2019d777eb508d1fd01ab URL: http://source.winehq.org/git/wine.git/?a=commit;h=8585203103bf29192af2019d77...
Author: Juan Lang juan.lang@gmail.com Date: Mon Nov 16 17:55:23 2009 -0800
crypt32: Prohibit name constraints that contain neither an excluded nor a permitted subtree.
---
dlls/crypt32/chain.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c index 52ac5d9..11010d5 100644 --- a/dlls/crypt32/chain.c +++ b/dlls/crypt32/chain.c @@ -850,6 +850,17 @@ static BOOL CRYPT_IsValidNameConstraint(const CERT_NAME_CONSTRAINTS_INFO *info) DWORD i; BOOL ret = TRUE;
+ /* Make sure at least one permitted or excluded subtree is present. From + * RFC 5280, section 4.2.1.10: + * "Conforming CAs MUST NOT issue certificates where name constraints is an + * empty sequence. That is, either the permittedSubtrees field or the + * excludedSubtrees MUST be present." + */ + if (!info->cPermittedSubtree && !info->cExcludedSubtree) + { + WARN_(chain)("constraints contain no permitted nor excluded subtree\n"); + ret = FALSE; + } /* Check that none of the constraints specifies a minimum or a maximum. * See RFC 5280, section 4.2.1.10: * "Within this profile, the minimum and maximum fields are not used with