Commit 966d7227 authored by Juan Lang's avatar Juan Lang Committed by Alexandre Julliard

crypt32: Improve error checking for the base policy.

parent c4c70b60
......@@ -2904,7 +2904,12 @@ static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
{
DWORD checks = 0;
if (pPolicyPara)
checks = pPolicyPara->dwFlags;
pPolicyStatus->lChainIndex = pPolicyStatus->lElementIndex = -1;
pPolicyStatus->dwError = NO_ERROR;
if (pChainContext->TrustStatus.dwErrorStatus &
CERT_TRUST_IS_NOT_SIGNATURE_VALID)
{
......@@ -2913,14 +2918,6 @@ static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
CERT_TRUST_IS_NOT_SIGNATURE_VALID, &pPolicyStatus->lChainIndex,
&pPolicyStatus->lElementIndex);
}
else if (pChainContext->TrustStatus.dwErrorStatus &
CERT_TRUST_IS_UNTRUSTED_ROOT)
{
pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
find_element_with_error(pChainContext,
CERT_TRUST_IS_UNTRUSTED_ROOT, &pPolicyStatus->lChainIndex,
&pPolicyStatus->lElementIndex);
}
else if (pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_CYCLIC)
{
pPolicyStatus->dwError = CERT_E_CHAINING;
......@@ -2929,8 +2926,33 @@ static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
/* For a cyclic chain, which element is a cycle isn't meaningful */
pPolicyStatus->lElementIndex = -1;
}
else
pPolicyStatus->dwError = NO_ERROR;
if (!pPolicyStatus->dwError &&
pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_UNTRUSTED_ROOT &&
!(checks & CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG))
{
pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
find_element_with_error(pChainContext,
CERT_TRUST_IS_UNTRUSTED_ROOT, &pPolicyStatus->lChainIndex,
&pPolicyStatus->lElementIndex);
}
if (!pPolicyStatus->dwError &&
pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_NOT_TIME_VALID)
{
pPolicyStatus->dwError = CERT_E_EXPIRED;
find_element_with_error(pChainContext,
CERT_TRUST_IS_NOT_TIME_VALID, &pPolicyStatus->lChainIndex,
&pPolicyStatus->lElementIndex);
}
if (!pPolicyStatus->dwError &&
pChainContext->TrustStatus.dwErrorStatus &
CERT_TRUST_IS_NOT_VALID_FOR_USAGE &&
!(checks & CERT_CHAIN_POLICY_IGNORE_WRONG_USAGE_FLAG))
{
pPolicyStatus->dwError = CERT_E_WRONG_USAGE;
find_element_with_error(pChainContext,
CERT_TRUST_IS_NOT_VALID_FOR_USAGE, &pPolicyStatus->lChainIndex,
&pPolicyStatus->lElementIndex);
}
return TRUE;
}
......
......@@ -3745,11 +3745,6 @@ static const ChainPolicyCheck basePolicyCheck[] = {
{ 0, CERT_E_UNTRUSTEDROOT, 0, 0, NULL }, NULL, 0 },
};
static const ChainPolicyCheck ignoredUnknownCABasePolicyCheck = {
{ sizeof(chain0) / sizeof(chain0[0]), chain0 },
{ 0, CERT_E_EXPIRED, 0, 0, NULL }, NULL, TODO_ERROR
};
/* Windows NT 4 has a different error code when the validity period doesn't
* nest. (It's arguably more correct than other Windows versions, but since
* others do not emulate its behavior, we mark its behavior broken.)
......@@ -3759,12 +3754,12 @@ static const CERT_CHAIN_POLICY_STATUS badDateNestingStatus =
static const ChainPolicyCheck ignoredBadDateNestingBasePolicyCheck = {
{ sizeof(chain2) / sizeof(chain2[0]), chain2 },
{ 0, CERT_E_EXPIRED, 0, 1, NULL}, &badDateNestingStatus, TODO_ERROR
{ 0, CERT_E_EXPIRED, 0, 1, NULL}, &badDateNestingStatus, TODO_ELEMENTS
};
static const ChainPolicyCheck ignoredInvalidDateBasePolicyCheck = {
{ sizeof(googleChain) / sizeof(googleChain[0]), googleChain },
{ 0, CERT_E_EXPIRED, 0, 1, NULL}, NULL, TODO_ERROR
{ 0, CERT_E_EXPIRED, 0, 1, NULL}, NULL, TODO_ELEMENTS
};
static const ChainPolicyCheck ignoredInvalidUsageBasePolicyCheck = {
......@@ -3774,7 +3769,7 @@ static const ChainPolicyCheck ignoredInvalidUsageBasePolicyCheck = {
static const ChainPolicyCheck invalidUsageBasePolicyCheck = {
{ sizeof(chain15) / sizeof(chain15[0]), chain15 },
{ 0, CERT_E_WRONG_USAGE, 0, 1, NULL}, NULL, TODO_ERROR
{ 0, CERT_E_WRONG_USAGE, 0, 1, NULL}, NULL, 0
};
static const ChainPolicyCheck sslPolicyCheck[] = {
......@@ -4083,7 +4078,7 @@ static void check_base_policy(void)
policyPara.cbSize = sizeof(policyPara);
policyPara.dwFlags = CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG;
checkChainPolicyStatus(CERT_CHAIN_POLICY_BASE, NULL,
&ignoredUnknownCABasePolicyCheck, 0, &oct2007, &policyPara);
&ignoredUnknownCAPolicyCheck, 0, &oct2007, &policyPara);
policyPara.dwFlags = CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG |
CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG;
checkChainPolicyStatus(CERT_CHAIN_POLICY_BASE, NULL,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment