commit a63affe5e0127c3e21898fff23167d0d096e2585
author Juan Lang <juan.lang@gmail.com> Tue Nov 17 13:57:52 2009 -0800
committer Alexandre Julliard <julliard@winehq.org> Wed Nov 18 11:08:55 2009 +0100
tree c7206978cbc7d0438a209b01a11d4bc698670a01
parent c464875a6d7465fddb14239f7b35bb4ca099019e

crypt32: Don't apply directory name constraints to an empty subject name.

dlls/crypt32/chain.c

diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 72f5e24..df94523 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -950,6 +950,22 @@
          CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_NAME_CONSTRAINTS;
 }
 
+static BOOL CRYPT_IsEmptyName(const CERT_NAME_BLOB *name)
+{
+    BOOL empty;
+
+    if (!name->cbData)
+        empty = TRUE;
+    else if (name->cbData == 2 && name->pbData[1] == 0)
+    {
+        /* An empty sequence is also empty */
+        empty = TRUE;
+    }
+    else
+        empty = FALSE;
+    return empty;
+}
+
 static void compare_subject_with_constraints(const CERT_NAME_BLOB *subjectName,
  const CERT_NAME_CONSTRAINTS_INFO *nameConstraints, DWORD *trustErrorStatus)
 {
@@ -987,7 +1003,13 @@
             *trustErrorStatus |=
              CERT_TRUST_HAS_EXCLUDED_NAME_CONSTRAINT;
     }
-    if (nameConstraints->cPermittedSubtree)
+    /* RFC 5280, section 4.2.1.10:
+     * "Restrictions apply only when the specified name form is present.
+     *  If no name of the type is in the certificate, the certificate is
+     *  acceptable."
+     * An empty name can't have the name form present, so don't check it.
+     */
+    if (nameConstraints->cPermittedSubtree && !CRYPT_IsEmptyName(subjectName))
     {
         BOOL match = FALSE;