From 52efb376f0f859f5a26098f5b8be43e58120747f Mon Sep 17 00:00:00 2001
From: Scott Cantor <cantor.2@osu.edu>
Date: Thu, 11 Aug 2011 18:56:40 +0000
Subject: [PATCH] Handle null criteria when trusted names are set

---
 xmltooling/security/impl/AbstractPKIXTrustEngine.cpp | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp b/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp
index 25cdcb1..5d7a598 100644
--- a/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp
+++ b/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp
@@ -692,7 +692,7 @@ bool AbstractPKIXTrustEngine::validateWithCRLs(
         return false;
     }
 
-    if ((criteria && criteria->getPeerName() && *(criteria->getPeerName())) || !m_trustedNames.empty()) {
+    if (criteria && criteria->getPeerName() && *(criteria->getPeerName())) {
         log.debug("checking that the certificate name is acceptable");
         if (criteria && criteria->getUsage()==Credential::UNSPECIFIED_CREDENTIAL)
             criteria->setUsage(Credential::SIGNING_CREDENTIAL);
@@ -701,6 +701,15 @@ bool AbstractPKIXTrustEngine::validateWithCRLs(
             return false;
         }
     }
+    else if (!m_trustedNames.empty()) {
+        log.debug("checking that the certificate name is acceptable");
+        CredentialCriteria cc;
+        cc.setUsage(Credential::SIGNING_CREDENTIAL);
+        if (!checkEntityNames(certEE,credResolver,cc)) {
+            log.error("certificate name was not acceptable");
+            return false;
+        }
+    }
     
     log.debug("performing certificate path validation...");
 
-- 
2.1.4