658 {
659
660
661
662 const size_t MAX_NC_COMPARES = (1 << 12);
663 const size_t total_constraints = m_name_constraints.
permitted().size() + m_name_constraints.
excluded().size();
664
665 if(!m_name_constraints.
permitted().empty() || !m_name_constraints.
excluded().empty())
666 {
667 if(!subject.is_CA_cert())
668 {
670 }
671
672 const bool issuer_name_constraint_critical =
673 subject.is_critical("X509v3.NameConstraints");
674
675
676 for(size_t j = 0; j < pos; ++j)
677 {
678 const auto& cert = cert_path.at(j);
679
680 const size_t total_names =
681 cert->subject_dn().dn_info().size() +
682 cert->subject_alt_name().get_attributes().size();
683
684 if(total_names * total_constraints >= MAX_NC_COMPARES) {
686 continue;
687 }
688
689 if(!m_name_constraints.
is_permitted(*cert, issuer_name_constraint_critical)) {
691 continue;
692 }
693
694 if(m_name_constraints.
is_excluded(*cert, issuer_name_constraint_critical)) {
696 continue;
697 }
698 }
699 }
700}
bool is_permitted(const X509_Certificate &cert, bool reject_unknown) const
bool is_excluded(const X509_Certificate &cert, bool reject_unknown) const
const std::vector< GeneralSubtree > & permitted() const
const std::vector< GeneralSubtree > & excluded() const