1 files changed, 22 insertions, 19 deletions

diff --git a/src/lib/x509/x509_ext.cpp b/src/lib/x509/x509_ext.cpp
index a7e3c8f61..1b13d36e1 100644
--- a/src/lib/x509/x509_ext.cpp
+++ b/src/lib/x509/x509_ext.cpp
@@ -594,6 +594,9 @@ void Name_Constraints::validate(const X509_Certificate& subject, const X509_Cert
       if(!subject.is_CA_cert() || !subject.is_critical("X509v3.NameConstraints"))
          cert_status.at(pos).insert(Certificate_Status_Code::NAME_CONSTRAINT_ERROR);
 
+      const bool issuer_name_constraint_critical =
+         issuer.is_critical("X509v3.NameConstraints");
+
       const bool at_self_signed_root = (pos == cert_path.size() - 1);
 
       // Check that all subordinate certs pass the name constraint
@@ -609,16 +612,16 @@ void Name_Constraints::validate(const X509_Certificate& subject, const X509_Cert
             {
             switch(c.base().matches(*cert_path.at(j)))
                {
-            case GeneralName::MatchResult::NotFound:
-            case GeneralName::MatchResult::All:
-               permitted = true;
-               break;
-            case GeneralName::MatchResult::UnknownType:
-               failed = issuer.is_critical("X509v3.NameConstraints");
-               permitted = true;
-               break;
-            default:
-               break;
+               case GeneralName::MatchResult::NotFound:
+               case GeneralName::MatchResult::All:
+                  permitted = true;
+                  break;
+               case GeneralName::MatchResult::UnknownType:
+                  failed = issuer_name_constraint_critical;
+                  permitted = true;
+                  break;
+               default:
+                  break;
                }
             }
 
@@ -626,15 +629,15 @@ void Name_Constraints::validate(const X509_Certificate& subject, const X509_Cert
             {
             switch(c.base().matches(*cert_path.at(j)))
                {
-            case GeneralName::MatchResult::All:
-            case GeneralName::MatchResult::Some:
-               failed = true;
-               break;
-            case GeneralName::MatchResult::UnknownType:
-               failed = issuer.is_critical("X509v3.NameConstraints");
-               break;
-            default:
-               break;
+               case GeneralName::MatchResult::All:
+               case GeneralName::MatchResult::Some:
+                  failed = true;
+                  break;
+               case GeneralName::MatchResult::UnknownType:
+                  failed = issuer_name_constraint_critical;
+                  break;
+               default:
+                  break;
                }
             }