diff options
| author | Jack Lloyd <[email protected]> | 2021-05-08 12:18:13 -0400 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2021-05-09 06:57:14 -0400 |
| commit | bba47e860fc772bb2d37f60f6e82fa22d7d6bc14 (patch) | |
| tree | 67381db195488ff2d57974815c856e122daac482 /src/lib | |
| parent | 89b9d6f4550c45f2d59f5d9b4763cbed5205b8a8 (diff) | |
Fix name constraint application
A name constraint on an intermediate certificate should not constraint
the intermediate itself, but only the subordinate certificates.
Fixes GH #2737
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/x509/x509_ext.cpp | 7 |
1 files changed, 1 insertions, 6 deletions
diff --git a/src/lib/x509/x509_ext.cpp b/src/lib/x509/x509_ext.cpp index a782d6a67..e81e15c18 100644 --- a/src/lib/x509/x509_ext.cpp +++ b/src/lib/x509/x509_ext.cpp @@ -665,14 +665,9 @@ void Name_Constraints::validate(const X509_Certificate& subject, const X509_Cert const bool issuer_name_constraint_critical = issuer.is_critical("X509v3.NameConstraints"); - const bool at_self_signed_root = (pos == cert_path.size() - 1); - // Check that all subordinate certs pass the name constraint - for(size_t j = 0; j <= pos; ++j) + for(size_t j = 0; j < pos; ++j) { - if(pos == j && at_self_signed_root) - continue; - bool permitted = m_name_constraints.permitted().empty(); bool failed = false; |