From b1139e02d08dfcf66661a1461bd0134ed63a0aa1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Wed, 26 Apr 2006 16:47:45 +0000
Subject: [PATCH] (hx509_verify_path): handle the case where the where two
 proxy certs in a chain.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17274 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/hx509/cert.c | 44 ++++++++++++++++++++++++++++++++++++++------
 1 file changed, 38 insertions(+), 6 deletions(-)

diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index e6cf91e7c..6557cf0b6 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -1325,20 +1325,32 @@ hx509_verify_path(hx509_context context,
 		}
 			
 		/* 
-		 * XXX need to mangle name to remove the CN of the
-		 * subject, copying issuer only works for one level
-		 * but is better then doing no checking at all.
-		 *
 		 * The subject name of the proxy certificate should be
-		 * CN=XXX,<proxy issuer>
+		 * CN=XXX,<proxy issuer>, prune of CN and check if its
+		 * the same over the whole chain of proxy certs and
+		 * then check with the EE cert when we get to it.
 		 */
 
-		ret = copy_Name(&c->tbsCertificate.issuer, &name);
+		ret = copy_Name(&c->tbsCertificate.subject, &name);
 		if (ret) {
 		    free_ProxyCertInfo(&info);
 		    goto out;
 		}
 
+		j = name.u.rdnSequence.len;
+		if (name.u.rdnSequence.len < 2 
+		    || name.u.rdnSequence.val[j - 1].len > 1
+		    || heim_oid_cmp(&name.u.rdnSequence.val[j - 1].val[0].type,
+				    oid_id_at_commonName()))
+		{
+		    free_ProxyCertInfo(&info);
+		    ret = HX509_PROXY_CERT_NAME_WRONG;
+		    goto out;
+		}
+
+		free_RelativeDistinguishedName(&name.u.rdnSequence.val[j - 1]);
+		name.u.rdnSequence.len -= 1;
+
 		if (proxy_cert_depth) {
 		    ret = _hx509_name_cmp(&proxy_issuer, &name);
 		    free_Name(&name);
@@ -1354,10 +1366,30 @@ hx509_verify_path(hx509_context context,
 		free_ProxyCertInfo(&info);
 		break;
 	    } else {
+		/* 
+		 * Now we are done with the proxy certificates, if
+		 * there where any proxy certificates
+		 * (proxy_cert_depth > 0), check that the proxy issuer
+		 * matched proxy certificates subject.
+		 */
 		if (proxy_cert_depth) {
 		    ret = _hx509_name_cmp(&proxy_issuer,
 					  &c->tbsCertificate.subject);
 		    if (ret) {
+			char *str;
+			ret = hx509_name_to_string(&proxy_issuer, &str);
+			if (ret)
+			    abort();
+			printf("name: %s\n", str);
+			free(str);
+
+			ret = hx509_name_to_string(&c->tbsCertificate.subject, &str);
+			if (ret)
+			    abort();
+			printf("subject: %s\n", str);
+			free(str);
+
+			printf("name wrong3\n");
 			ret = HX509_PROXY_CERT_NAME_WRONG;
 			goto out;
 		    }