diff options
| author | Peter Dettman <peter.dettman@bouncycastle.org> | 2020-02-20 11:16:50 +0700 |
|---|---|---|
| committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2020-02-20 11:16:50 +0700 |
| commit | 94ea6461f6570d0370315e9bfa206dc7f96856af (patch) | |
| tree | 3860b30a1024fd938ce273c019d0a60cd67fca7b | |
| parent | Misc. updates from bc-java (diff) | |
| download | BouncyCastle.NET-ed25519-94ea6461f6570d0370315e9bfa206dc7f96856af.tar.xz | |
Improvements to permitted sub-trees
| -rw-r--r-- | crypto/src/pkix/PkixNameConstraintValidator.cs | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/crypto/src/pkix/PkixNameConstraintValidator.cs b/crypto/src/pkix/PkixNameConstraintValidator.cs index 4d5af28ea..fbec6fb72 100644 --- a/crypto/src/pkix/PkixNameConstraintValidator.cs +++ b/crypto/src/pkix/PkixNameConstraintValidator.cs @@ -47,11 +47,24 @@ namespace Org.BouncyCastle.Pkix if (subtree.Count < 1 || subtree.Count > dns.Count) return false; + int start = 0; + Rdn subtreeRdnStart = Rdn.GetInstance(subtree[0]); + for (int j = 0; j < dns.Count; j++) + { + start = j; + Rdn dnsRdn = Rdn.GetInstance(dns[j]); + if (IetfUtilities.RdnAreEqual(subtreeRdnStart, dnsRdn)) + break; + } + + if (subtree.Count > dns.Count - start) + return false; + for (int j = 0; j < subtree.Count; ++j) { // both subtree and dns are a ASN.1 Name and the elements are a RDN Rdn subtreeRdn = Rdn.GetInstance(subtree[j]); - Rdn dnsRdn = Rdn.GetInstance(dns[j]); + Rdn dnsRdn = Rdn.GetInstance(dns[start + j]); // check if types and values of all naming attributes are matching, other types which are not restricted are allowed, see https://tools.ietf.org/html/rfc5280#section-7.1 |