Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
W
wine-winehq
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
wine
wine-winehq
Commits
16036dd2
Commit
16036dd2
authored
Oct 30, 2009
by
Juan Lang
Committed by
Alexandre Julliard
Nov 03, 2009
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
crypt32: Allow errors in locally installed root certs.
parent
d6795bd9
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
17 additions
and
3 deletions
+17
-3
rootstore.c
dlls/crypt32/rootstore.c
+17
-3
No files found.
dlls/crypt32/rootstore.c
View file @
16036dd2
...
@@ -261,9 +261,23 @@ static void check_and_store_certs(HCERTSTORE from, HCERTSTORE to)
...
@@ -261,9 +261,23 @@ static void check_and_store_certs(HCERTSTORE from, HCERTSTORE to)
"chain creation failed"
);
"chain creation failed"
);
else
else
{
{
/* The only allowed error is CERT_TRUST_IS_UNTRUSTED_ROOT */
DWORD
allowedErrors
=
CERT_TRUST_IS_UNTRUSTED_ROOT
|
if
(
chain
->
TrustStatus
.
dwErrorStatus
&
CERT_TRUST_IS_NOT_VALID_FOR_USAGE
|
~
CERT_TRUST_IS_UNTRUSTED_ROOT
)
CERT_TRUST_INVALID_BASIC_CONSTRAINTS
|
CERT_TRUST_IS_NOT_TIME_VALID
;
/* The certificate chain verification only allows certain
* invalid CA certs if they're installed locally: CA
* certs missing the key usage extension, and CA certs
* missing the basic constraints extension. Of course
* there's a chicken and egg problem: we have to accept
* them here in order for them to be accepted later.
* Expired, locally installed certs are also allowed here,
* because we don't know (yet) what date will be checked
* for an item signed by one of these certs.
* Thus, accept certs with any of the allowed errors.
*/
if
(
chain
->
TrustStatus
.
dwErrorStatus
&
~
allowedErrors
)
TRACE
(
"rejecting %s: %s
\n
"
,
get_cert_common_name
(
cert
),
TRACE
(
"rejecting %s: %s
\n
"
,
get_cert_common_name
(
cert
),
trust_status_to_str
(
chain
->
TrustStatus
.
dwErrorStatus
&
trust_status_to_str
(
chain
->
TrustStatus
.
dwErrorStatus
&
~
CERT_TRUST_IS_UNTRUSTED_ROOT
));
~
CERT_TRUST_IS_UNTRUSTED_ROOT
));
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment