From e12f8a96f8c151c3aef52a6077e562e86a6f3879 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Thu, 9 Aug 2007 14:05:47 +0000
Subject: [PATCH] match rfc822 contrains better, provide better error strings.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21899 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/hx509/cert.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c
index 3cc87a1be..f4d7e6c9b 100644
--- a/lib/hx509/cert.c
+++ b/lib/hx509/cert.c
@@ -1231,7 +1231,6 @@ add_name_constraints(hx509_context context, const Certificate *c, int not_ca,
 			       "have NameConstraints");
     } else {
 	NameConstraints *val;
-	printf("adding nc\n");
 	val = realloc(nc->val, sizeof(nc->val[0]) * (nc->len + 1));
 	if (val == NULL) {
 	    hx509_clear_error_string(context);
@@ -1324,7 +1323,7 @@ match_general_name(const GeneralName *c, const GeneralName *n, int *match)
 		return HX509_NAME_CONSTRAINT_ERROR;
 	    if (strcasecmp(s + 1 + len2 - len1, c->u.rfc822Name) != 0)
 		return HX509_NAME_CONSTRAINT_ERROR;
-	    if (len1 < len2 && s[len2 - len1] != '.')
+	    if (len1 < len2 && s[len2 - len1 + 1] != '.')
 		return HX509_NAME_CONSTRAINT_ERROR;
 	}
 	*match = 1;
@@ -1395,7 +1394,6 @@ match_alt_name(const GeneralName *n, const Certificate *c,
 	}
 	free_GeneralNames(&sa);
     } while (1);
-
     return ret;
 }
 
@@ -1465,7 +1463,10 @@ check_name_constraints(hx509_context context,
 	    }
 	    /* allow null subjectNames, they wont matches anything */
 	    if (match == 0 && !subject_null_p(c)) {
-		hx509_clear_error_string(context);
+		hx509_set_error_string(context, 0, HX509_VERIFY_CONSTRAINTS,
+				       "Error verify constraints, "
+				       "certificate didn't match any "
+				       "permitted subtree");
 		return HX509_VERIFY_CONSTRAINTS;
 	    }
 	}
@@ -1477,7 +1478,10 @@ check_name_constraints(hx509_context context,
 		return ret;
 	    }
 	    if (match) {
-		hx509_clear_error_string(context);
+		hx509_set_error_string(context, 0, HX509_VERIFY_CONSTRAINTS,
+				       "Error verify constraints, "
+				       "certificate included in excluded "
+				       "subtree");
 		return HX509_VERIFY_CONSTRAINTS;
 	    }
 	}