Finished adding new metadata/trust plugins to config.

[shibboleth/cpp-sp.git] / shib / ShibbolethTrust.cpp

diff --git a/shib/ShibbolethTrust.cpp b/shib/ShibbolethTrust.cpp
index 42130a7..5c686b7 100644 (file)
--- a/shib/ShibbolethTrust.cpp
+++ b/shib/ShibbolethTrust.cpp
@@ -341,7 +341,7 @@ bool ShibbolethTrust::validate(void* certEE, const Iterator<void*>& certChain, c
                 STACK_OF(GENERAL_NAME)* altnames=(STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
                 if (altnames) {
                     int numalts = sk_GENERAL_NAME_num(altnames);
-                    for (int an=0; !checkName && an<numalts; an++) {
+                    for (int an=0; checkName && an<numalts; an++) {
                         const GENERAL_NAME* check = sk_GENERAL_NAME_value(altnames, an);
                         if (check->type==GEN_DNS || check->type==GEN_URI) {
                             const char* altptr = (char*)ASN1_STRING_data(check->d.ia5);
@@ -349,10 +349,11 @@ bool ShibbolethTrust::validate(void* certEE, const Iterator<void*>& certChain, c
                             
                             for (vector<string>::const_iterator n=keynames.begin(); n!=keynames.end(); n++) {
 #ifdef HAVE_STRCASECMP
-                                if (!strncasecmp(altptr,n->c_str(),altlen)) {
+                                if ((check->type==GEN_DNS && !strncasecmp(altptr,n->c_str(),altlen))
 #else
-                                if (!strnicmp(altptr,n->c_str(),altlen)) {
+                                if ((check->type==GEN_DNS && !strnicmp(altptr,n->c_str(),altlen))
 #endif
+                                        || (check->type==GEN_URI && !strncmp(altptr,n->c_str(),altlen))) {
                                     log.info("matched DNS/URI subjectAltName to a key name (%s)", n->c_str());
                                     checkName=false;
                                     break;