Commit 16036dd2 authored by Juan Lang's avatar Juan Lang Committed by Alexandre Julliard

crypt32: Allow errors in locally installed root certs.

parent d6795bd9
...@@ -261,9 +261,23 @@ static void check_and_store_certs(HCERTSTORE from, HCERTSTORE to) ...@@ -261,9 +261,23 @@ static void check_and_store_certs(HCERTSTORE from, HCERTSTORE to)
"chain creation failed"); "chain creation failed");
else else
{ {
/* The only allowed error is CERT_TRUST_IS_UNTRUSTED_ROOT */ DWORD allowedErrors = CERT_TRUST_IS_UNTRUSTED_ROOT |
if (chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_NOT_VALID_FOR_USAGE |
~CERT_TRUST_IS_UNTRUSTED_ROOT) CERT_TRUST_INVALID_BASIC_CONSTRAINTS |
CERT_TRUST_IS_NOT_TIME_VALID;
/* The certificate chain verification only allows certain
* invalid CA certs if they're installed locally: CA
* certs missing the key usage extension, and CA certs
* missing the basic constraints extension. Of course
* there's a chicken and egg problem: we have to accept
* them here in order for them to be accepted later.
* Expired, locally installed certs are also allowed here,
* because we don't know (yet) what date will be checked
* for an item signed by one of these certs.
* Thus, accept certs with any of the allowed errors.
*/
if (chain->TrustStatus.dwErrorStatus & ~allowedErrors)
TRACE("rejecting %s: %s\n", get_cert_common_name(cert), TRACE("rejecting %s: %s\n", get_cert_common_name(cert),
trust_status_to_str(chain->TrustStatus.dwErrorStatus & trust_status_to_str(chain->TrustStatus.dwErrorStatus &
~CERT_TRUST_IS_UNTRUSTED_ROOT)); ~CERT_TRUST_IS_UNTRUSTED_ROOT));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment