Bug 394919: dNSName constraints should constrain cert Common Names in

certs.  r=nelson.
Modified Files:
	pkix_pl_cert.c pkix_pl_nameconstraints.c

2 files changed, 5 insertions, 4 deletions

diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
index f2156acbd..df5f03a0e 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
@@ -3182,9 +3182,10 @@ PKIX_PL_Cert_CheckNameConstraints(
                 }
 
                 /* This NSS call returns both Subject and  Subject Alt Names */
-                PKIX_CERT_DEBUG("\t\tCalling CERT_GetCertificateNames\n");
-                nssSubjectNames = CERT_GetCertificateNames
-                        (cert->nssCert, arena);
+                PKIX_CERT_DEBUG
+                    ("\t\tCalling CERT_GetConstrainedCertificateNames\n");
+                nssSubjectNames = CERT_GetConstrainedCertificateNames
+                        (cert->nssCert, arena, PR_TRUE);
 
                 PKIX_CHECK(pkix_pl_CertNameConstraints_CheckNameSpaceNssNames
                         (nssSubjectNames,
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c
index a0127668b..5486b74be 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_nameconstraints.c
@@ -277,7 +277,7 @@ cleanup:
  * FUNCTION: pkix_pl_CertNameConstraints_CheckNameSpaceNssNames
  * DESCRIPTION:
  *
- *  This function checks if CERTGeneral names in "nssSubjectNames" complies
+ *  This function checks if CERTGeneralNames in "nssSubjectNames" comply
  *  with the permitted and excluded names in "nameConstraints". It returns
  *  PKIX_TRUE in "pCheckPass", if the Names satify the name space of the
  *  permitted list and if the Names are not in the excluded list. Otherwise,