@@ -595,7 +595,7 @@ impl<'a> IssuingDistributionPoint<'a> {
595595 if self . only_contains_ca_certs && node. role ( ) != Role :: Issuer
596596 || self . only_contains_user_certs && node. role ( ) != Role :: EndEntity
597597 {
598- return false ;
598+ return false ; // CRL scope excludes this cert's role.
599599 }
600600
601601 let cert_dps = match node. cert . crl_distribution_points ( ) {
@@ -605,61 +605,49 @@ impl<'a> IssuingDistributionPoint<'a> {
605605 Some ( cert_dps) => cert_dps,
606606 } ;
607607
608- let mut idp_general_names = match self . names ( ) {
609- Ok ( Some ( DistributionPointName :: FullName ( general_names) ) ) => general_names,
610- _ => return false , // Note: Either no full names, or malformed. Shouldn't occur, we check at CRL parse time.
611- } ;
612-
613608 for cert_dp in cert_dps {
614- let cert_dp = match cert_dp {
615- Ok ( cert_dp) => cert_dp,
616- // certificate CRL DP was invalid, can't match.
617- Err ( _) => return false ,
609+ let Ok ( cert_dp) = cert_dp else {
610+ continue ; // Malformed DP, try next cert DP.
618611 } ;
619612
620613 // If the certificate CRL DP was for an indirect CRL, or a CRL
621614 // sharded by revocation reason, it can't match.
622615 if cert_dp. crl_issuer . is_some ( ) || cert_dp. reasons . is_some ( ) {
623- return false ;
616+ continue ; // Indirect CRL or reason-partitioned DP, try next cert DP.
624617 }
625618
626- let mut dp_general_names = match cert_dp. names ( ) {
627- Ok ( Some ( DistributionPointName :: FullName ( general_names ) ) ) => general_names ,
628- _ => return false , // Either no full names, or malformed.
619+ let Ok ( Some ( DistributionPointName :: FullName ( dp_general_names) ) ) = cert_dp. names ( )
620+ else {
621+ continue ; // No full names or malformed, try next cert DP .
629622 } ;
630623
631624 // At least one URI type name in the IDP full names must match a URI type name in the
632625 // DP full names.
633- if Self :: uri_name_in_common ( & mut idp_general_names, & mut dp_general_names) {
634- return true ;
635- }
636- }
637-
638- false
639- }
626+ for dp_name in dp_general_names {
627+ let dp_uri = match dp_name {
628+ Ok ( GeneralName :: UniformResourceIdentifier ( dp_uri) ) => dp_uri,
629+ Ok ( _) => continue , // Not a URI type name, skip.
630+ Err ( _) => continue , // Malformed general name, try next name.
631+ } ;
640632
641- fn uri_name_in_common (
642- idp_general_names : & mut DerIterator < ' a , GeneralName < ' a > > ,
643- dp_general_names : & mut DerIterator < ' a , GeneralName < ' a > > ,
644- ) -> bool {
645- use GeneralName :: UniformResourceIdentifier ;
646- for name in idp_general_names. flatten ( ) {
647- let uri = match name {
648- UniformResourceIdentifier ( uri) => uri,
649- _ => continue ,
650- } ;
633+ let Ok ( Some ( DistributionPointName :: FullName ( idp_general_names) ) ) = self . names ( )
634+ else {
635+ return false ; // IDP has no full names or is malformed.
636+ } ;
651637
652- for other_name in ( & mut * dp_general_names) . flatten ( ) {
653- match other_name {
654- UniformResourceIdentifier ( other_uri)
655- if uri. as_slice_less_safe ( ) == other_uri. as_slice_less_safe ( ) =>
656- {
657- return true ;
638+ for idp_name in idp_general_names. flatten ( ) {
639+ match idp_name {
640+ GeneralName :: UniformResourceIdentifier ( idp_uri)
641+ if dp_uri. as_slice_less_safe ( ) == idp_uri. as_slice_less_safe ( ) =>
642+ {
643+ return true ; // DP URI matches IDP URI.
644+ }
645+ _ => continue , // Not a matching URI, try next IDP name.
658646 }
659- _ => continue ,
660647 }
661648 }
662649 }
650+
663651 false
664652 }
665653}
0 commit comments