summary refs log tree commit diff
path: root/crypto/src/pkix/PkixNameConstraintValidator.cs
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/src/pkix/PkixNameConstraintValidator.cs')
-rw-r--r--crypto/src/pkix/PkixNameConstraintValidator.cs15
1 files changed, 14 insertions, 1 deletions
diff --git a/crypto/src/pkix/PkixNameConstraintValidator.cs b/crypto/src/pkix/PkixNameConstraintValidator.cs
index 4d5af28ea..fbec6fb72 100644
--- a/crypto/src/pkix/PkixNameConstraintValidator.cs
+++ b/crypto/src/pkix/PkixNameConstraintValidator.cs
@@ -47,11 +47,24 @@ namespace Org.BouncyCastle.Pkix
             if (subtree.Count < 1 || subtree.Count > dns.Count)
                 return false;
 
+            int start = 0;
+            Rdn subtreeRdnStart = Rdn.GetInstance(subtree[0]);
+            for (int j = 0; j < dns.Count; j++)
+            {
+                start = j;
+                Rdn dnsRdn = Rdn.GetInstance(dns[j]);
+                if (IetfUtilities.RdnAreEqual(subtreeRdnStart, dnsRdn))
+                    break;
+            }
+
+            if (subtree.Count > dns.Count - start)
+                return false;
+
             for (int j = 0; j < subtree.Count; ++j)
             {
                 // both subtree and dns are a ASN.1 Name and the elements are a RDN
                 Rdn subtreeRdn = Rdn.GetInstance(subtree[j]);
-                Rdn dnsRdn = Rdn.GetInstance(dns[j]);
+                Rdn dnsRdn = Rdn.GetInstance(dns[start + j]);
 
                 // check if types and values of all naming attributes are matching, other types which are not restricted are allowed, see https://tools.ietf.org/html/rfc5280#section-7.1
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-10 06:13:49 +0000