If alternative names are found, don't bother checking the DN.

author Nikos Mavrogiannopoulos <nmav@redhat.com>

Wed, 19 Feb 2014 12:57:30 +0000 (13:57 +0100)

committer Nikos Mavrogiannopoulos <nmav@redhat.com>

Wed, 19 Feb 2014 12:57:30 +0000 (13:57 +0100)
author Nikos Mavrogiannopoulos <nmav@redhat.com>
Wed, 19 Feb 2014 12:57:30 +0000 (13:57 +0100)
committer Nikos Mavrogiannopoulos <nmav@redhat.com>
Wed, 19 Feb 2014 12:57:30 +0000 (13:57 +0100)
diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c

index ca3576efbcbe301e8523a97c15c95c564e013823..b76e5e9552c8f1408fe0fd586f81739369ac9624 100644 (file)
--- a/lib/x509/name_constraints.c
+++ b/lib/x509/name_constraints.c
@@ -713,21 +713,26 @@ size_t name_size;
  int ret;
  unsigned idx, t, san_type;
  gnutls_datum_t n;
+unsigned found_one;
  
         if (is_nc_empty(nc) != 0)
                 return 1; /* shortcut; no constraints to check */
  
         if (type == GNUTLS_SAN_RFC822NAME) {
-               idx = 0;
+               idx = found_one = 0;
                 do {
                         name_size = sizeof(name);
-                       ret = gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_PKCS9_EMAIL,
-                               idx++, 0, name, &name_size);
+                       ret = gnutls_x509_crt_get_subject_alt_name2(cert,
+                               idx++, name, &name_size, &san_type, NULL);
                         if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
                                 break;
                         else if (ret < 0)
                                 return gnutls_assert_val(0);
  
+                       if (san_type != GNUTLS_SAN_RFC822NAME)
+                               continue;
+
+                       found_one = 1;
                         n.data = (void*)name;
                         n.size = name_size;
                         t = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_RFC822NAME,
@@ -736,19 +741,19 @@ gnutls_datum_t n;
                                 return gnutls_assert_val(t);
                 } while(ret >= 0);
  
+               if (found_one != 0)
+                       return 1;
+
                 idx = 0;
                 do {
                         name_size = sizeof(name);
-                       ret = gnutls_x509_crt_get_subject_alt_name2(cert,
-                               idx++, name, &name_size, &san_type, NULL);
+                       ret = gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_PKCS9_EMAIL,
+                               idx++, 0, name, &name_size);
                         if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
                                 break;
                         else if (ret < 0)
                                 return gnutls_assert_val(0);
  
-                       if (san_type != GNUTLS_SAN_RFC822NAME)
-                               continue;
-
                         n.data = (void*)name;
                         n.size = name_size;
                         t = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_RFC822NAME,
@@ -760,16 +765,20 @@ gnutls_datum_t n;
                 /* passed */
                 return 1;
         } else if (type == GNUTLS_SAN_DNSNAME) {
-               idx = 0;
+               idx = found_one = 0;
                 do {
                         name_size = sizeof(name);
-                       ret = gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME,
-                               idx++, 0, name, &name_size);
+                       ret = gnutls_x509_crt_get_subject_alt_name2(cert,
+                               idx++, name, &name_size, &san_type, NULL);
                         if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
                                 break;
                         else if (ret < 0)
                                 return gnutls_assert_val(0);
  
+                       if (san_type != GNUTLS_SAN_DNSNAME)
+                               continue;
+
+                       found_one = 1;
                         n.data = (void*)name;
                         n.size = name_size;
                         t = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME,
@@ -778,19 +787,19 @@ gnutls_datum_t n;
                                 return gnutls_assert_val(t);
                 } while(ret >= 0);
  
+               if (found_one != 0)
+                       return 1;
+
                 idx = 0;
                 do {
                         name_size = sizeof(name);
-                       ret = gnutls_x509_crt_get_subject_alt_name2(cert,
-                               idx++, name, &name_size, &san_type, NULL);
+                       ret = gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME,
+                               idx++, 0, name, &name_size);
                         if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
                                 break;
                         else if (ret < 0)
                                 return gnutls_assert_val(0);
  
-                       if (san_type != GNUTLS_SAN_DNSNAME)
-                               continue;
-
                         n.data = (void*)name;
                         n.size = name_size;
                         t = gnutls_x509_name_constraints_check(nc, GNUTLS_SAN_DNSNAME,
author	Nikos Mavrogiannopoulos <nmav@redhat.com>
	Wed, 19 Feb 2014 12:57:30 +0000 (13:57 +0100)
committer	Nikos Mavrogiannopoulos <nmav@redhat.com>
	Wed, 19 Feb 2014 12:57:30 +0000 (13:57 +0100)