From d8486beab53b326bfdb3902b86964cbc709697b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Wed, 22 Feb 2006 15:14:00 +0000 Subject: [PATCH] Add exceptions for null (empty) subjectNames git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16762 ec53bebd-3082-4978-b11e-865c3cabbd6b --- lib/hx509/cert.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c index 600bacd7b..9e4fa583b 100644 --- a/lib/hx509/cert.c +++ b/lib/hx509/cert.c @@ -966,6 +966,15 @@ match_general_name(const GeneralName *c, const GeneralName *n, int *match) } } +/* + * The subjectName is "null" when its empty set of relative DBs. + */ + +static int +subject_null_p(const Certificate *c) +{ + return c->tbsCertificate.subject.u.rdnSequence.len == 0; +} static int match_alt_name(const GeneralName *n, const Certificate *c, @@ -1010,12 +1019,16 @@ match_tree(const GeneralSubtrees *t, const Certificate *c, int *match) /* * If the constraint apply to directoryNames, test is with - * subjectName of the certificate. + * subjectName of the certificate if the certificate have a + * non-null (empty) subjectName. */ - if (t->val[i].base.element == choice_GeneralName_directoryName) { + if (t->val[i].base.element == choice_GeneralName_directoryName + && !subject_null_p(c)) + { GeneralName certname; + certname.element = choice_GeneralName_directoryName; certname.u.directoryName.element = c->tbsCertificate.subject.element; @@ -1052,7 +1065,8 @@ check_name_constraints(const hx509_name_constraints *nc, ret = match_tree(&gs, c, &match); if (ret) return ret; - if (match == 0) + /* allow null subjectNames, they wont matches anything */ + if (match == 0 && !subject_null_p(c)) return HX509_VERIFY_CONSTRAINTS; } if (nc->val[i].excludedSubtrees) {