rustls · ctz · Mar 20, 2026 · Mar 20, 2026 · Mar 20, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -21,7 +21,7 @@ license = "ISC"
 name = "rustls-webpki"
 readme = "README.md"
 repository = "https://github.com/rustls/webpki"
-version = "0.103.9"
+version = "0.103.10"
 
 include = [
     "Cargo.toml",
@@ -92,6 +92,7 @@ once_cell = "1.17.2"
 rcgen = { version = "0.14.2", default-features = false, features = ["aws_lc_rs"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
+x509-parser = "0.18.1"
 
 [profile.bench]
 opt-level = 3

diff --git a/src/crl/types.rs b/src/crl/types.rs
@@ -595,7 +595,7 @@ impl<'a> IssuingDistributionPoint<'a> {
         if self.only_contains_ca_certs && node.role() != Role::Issuer
             || self.only_contains_user_certs && node.role() != Role::EndEntity
         {
-            return false;
+            return false; // CRL scope excludes this cert's role.
         }
 
         let cert_dps = match node.cert.crl_distribution_points() {
@@ -605,61 +605,49 @@ impl<'a> IssuingDistributionPoint<'a> {
             Some(cert_dps) => cert_dps,
         };
 
-        let mut idp_general_names = match self.names() {
-            Ok(Some(DistributionPointName::FullName(general_names))) => general_names,
-            _ => return false, // Note: Either no full names, or malformed. Shouldn't occur, we check at CRL parse time.
-        };
-
         for cert_dp in cert_dps {
-            let cert_dp = match cert_dp {
-                Ok(cert_dp) => cert_dp,
-                // certificate CRL DP was invalid, can't match.
-                Err(_) => return false,
+            let Ok(cert_dp) = cert_dp else {
+                continue; // Malformed DP, try next cert DP.
             };
 
             // If the certificate CRL DP was for an indirect CRL, or a CRL
             // sharded by revocation reason, it can't match.
             if cert_dp.crl_issuer.is_some() || cert_dp.reasons.is_some() {
-                return false;
+                continue; // Indirect CRL or reason-partitioned DP, try next cert DP.
             }
 
-            let mut dp_general_names = match cert_dp.names() {
-                Ok(Some(DistributionPointName::FullName(general_names))) => general_names,
-                _ => return false, // Either no full names, or malformed.
+            let Ok(Some(DistributionPointName::FullName(dp_general_names))) = cert_dp.names()
+            else {
+                continue; // No full names or malformed, try next cert DP.
             };
 
             // At least one URI type name in the IDP full names must match a URI type name in the
             // DP full names.
-            if Self::uri_name_in_common(&mut idp_general_names, &mut dp_general_names) {
-                return true;
-            }
-        }
-
-        false
-    }
+            for dp_name in dp_general_names {
+                let dp_uri = match dp_name {
+                    Ok(GeneralName::UniformResourceIdentifier(dp_uri)) => dp_uri,
+                    Ok(_) => continue,  // Not a URI type name, skip.
+                    Err(_) => continue, // Malformed general name, try next name.
+                };
 
-    fn uri_name_in_common(
-        idp_general_names: &mut DerIterator<'a, GeneralName<'a>>,
-        dp_general_names: &mut DerIterator<'a, GeneralName<'a>>,
-    ) -> bool {
-        use GeneralName::UniformResourceIdentifier;
-        for name in idp_general_names.flatten() {
-            let uri = match name {
-                UniformResourceIdentifier(uri) => uri,
-                _ => continue,
-            };
+                let Ok(Some(DistributionPointName::FullName(idp_general_names))) = self.names()
+                else {
+                    return false; // IDP has no full names or is malformed.
+                };
 
-            for other_name in (&mut *dp_general_names).flatten() {
-                match other_name {
-                    UniformResourceIdentifier(other_uri)
-                        if uri.as_slice_less_safe() == other_uri.as_slice_less_safe() =>
-                    {
-                        return true;
+                for idp_name in idp_general_names.flatten() {
+                    match idp_name {
+                        GeneralName::UniformResourceIdentifier(idp_uri)
+                            if dp_uri.as_slice_less_safe() == idp_uri.as_slice_less_safe() =>
+                        {
+                            return true; // DP URI matches IDP URI.
+                        }
+                        _ => continue, // Not a matching URI, try next IDP name.
                     }
-                    _ => continue,
                 }
             }
         }
+
         false
     }
 }