657 {
658 if(!m_name_constraints.
permitted().empty() || !m_name_constraints.
excluded().empty())
659 {
660 if(!subject.is_CA_cert() || !subject.is_critical("X509v3.NameConstraints"))
662
663 const bool issuer_name_constraint_critical =
664 issuer.is_critical("X509v3.NameConstraints");
665
666 const bool at_self_signed_root = (pos == cert_path.size() - 1);
667
668
669 for(size_t j = 0; j <= pos; ++j)
670 {
671 if(pos == j && at_self_signed_root)
672 continue;
673
674 bool permitted = m_name_constraints.
permitted().empty();
675 bool failed = false;
676
677 for(
auto c: m_name_constraints.
permitted())
678 {
679 switch(c.base().matches(*cert_path.at(j)))
680 {
681 case GeneralName::MatchResult::NotFound:
682 case GeneralName::MatchResult::All:
683 permitted = true;
684 break;
685 case GeneralName::MatchResult::UnknownType:
686 failed = issuer_name_constraint_critical;
687 permitted = true;
688 break;
689 default:
690 break;
691 }
692 }
693
694 for(
auto c: m_name_constraints.
excluded())
695 {
696 switch(c.base().matches(*cert_path.at(j)))
697 {
698 case GeneralName::MatchResult::All:
699 case GeneralName::MatchResult::Some:
700 failed = true;
701 break;
702 case GeneralName::MatchResult::UnknownType:
703 failed = issuer_name_constraint_critical;
704 break;
705 default:
706 break;
707 }
708 }
709
710 if(failed || !permitted)
711 {
713 }
714 }
715 }
716 }
const std::vector< GeneralSubtree > & permitted() const
const std::vector< GeneralSubtree > & excluded() const