crypt32: Add basic constraints to chain quality selection algorithm.

552fec40 · Juan Lang · Alexandre Julliard · c310637f · 552fec40
Commit 552fec40 authored Oct 28, 2009 by Juan Lang Committed by Alexandre Julliard Oct 30, 2009
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 5 deletions

chain.c dlls/crypt32/chain.c +10 -5

No files found.
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -1704,14 +1704,16 @@ static PCertificateChain CRYPT_BuildAlternateContextFromChain(
    return alternate;
 }

-#define CHAIN_QUALITY_SIGNATURE_VALID 8
-#define CHAIN_QUALITY_TIME_VALID      4
-#define CHAIN_QUALITY_COMPLETE_CHAIN  2
-#define CHAIN_QUALITY_TRUSTED_ROOT    1
+#define CHAIN_QUALITY_SIGNATURE_VALID   0x16
+#define CHAIN_QUALITY_TIME_VALID        8
+#define CHAIN_QUALITY_COMPLETE_CHAIN    4
+#define CHAIN_QUALITY_BASIC_CONSTRAINTS 2
+#define CHAIN_QUALITY_TRUSTED_ROOT      1

 #define CHAIN_QUALITY_HIGHEST \
 CHAIN_QUALITY_SIGNATURE_VALID | CHAIN_QUALITY_TIME_VALID | \
- CHAIN_QUALITY_COMPLETE_CHAIN | CHAIN_QUALITY_TRUSTED_ROOT
+ CHAIN_QUALITY_COMPLETE_CHAIN | CHAIN_QUALITY_BASIC_CONSTRAINTS | \
+ CHAIN_QUALITY_TRUSTED_ROOT

 #define IS_TRUST_ERROR_SET(TrustStatus, bits) \
 (TrustStatus)->dwErrorStatus & (bits)
@@ -1724,6 +1726,9 @@ static DWORD CRYPT_ChainQuality(const CertificateChain *chain)
     CERT_TRUST_IS_UNTRUSTED_ROOT))
        quality &= ~CHAIN_QUALITY_TRUSTED_ROOT;
    if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
+     CERT_TRUST_INVALID_BASIC_CONSTRAINTS))
+        quality &= ~CHAIN_QUALITY_BASIC_CONSTRAINTS;
+    if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
     CERT_TRUST_IS_PARTIAL_CHAIN))
        quality &= ~CHAIN_QUALITY_COMPLETE_CHAIN;
    if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,