From 1b98d3a6ff566892fdc44603c98b6a93e5ae0bbe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Wed, 26 Apr 2006 12:36:49 +0000
Subject: [PATCH] (hx509_verify_path): verify proxy certificate have no san or
 ian

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17252 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/hx509/cert.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index 099b65120..9b5aeb287 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -1291,6 +1291,7 @@ hx509_verify_path(hx509_context context,
 	    ProxyCertInfo info;	    
 
 	    if (proxy_cert_p(c, &info)) {
+		int j;
 
 		if (info.pCPathLenConstraint != NULL &&
 		    *info.pCPathLenConstraint > i)
@@ -1299,6 +1300,24 @@ hx509_verify_path(hx509_context context,
 		    ret = HX509_PATH_TOO_LONG;
 		    goto out;
 		}
+
+		
+		j = 0;
+		if (find_extension(c, oid_id_x509_ce_subjectAltName(), &j)) {
+		    free_ProxyCertInfo(&info);
+		    ret = HX509_PROXY_CERT_INVALID;
+		    goto out;
+		}
+
+		j = 0;
+		if (find_extension(c, oid_id_x509_ce_issuerAltName(), &j)) {
+		    free_ProxyCertInfo(&info);
+		    ret = HX509_PROXY_CERT_INVALID;
+		    goto out;
+		}
+			
+		/* XXX verify issuer name */
+
 		free_ProxyCertInfo(&info);
 		break;
 	    }