Juan Lang : crypt32: Allow errors in locally installed root certs.
Alexandre Julliard
julliard at winehq.org
Tue Nov 3 15:37:15 CST 2009
Module: wine
Branch: master
Commit: 16036dd27a746b1b42d1a905107c140ed4d8e242
URL: http://source.winehq.org/git/wine.git/?a=commit;h=16036dd27a746b1b42d1a905107c140ed4d8e242
Author: Juan Lang <juan.lang at gmail.com>
Date: Fri Oct 30 14:09:57 2009 -0700
crypt32: Allow errors in locally installed root certs.
---
dlls/crypt32/rootstore.c | 20 +++++++++++++++++---
1 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/dlls/crypt32/rootstore.c b/dlls/crypt32/rootstore.c
index bd6dfac..a4a75ab 100644
--- a/dlls/crypt32/rootstore.c
+++ b/dlls/crypt32/rootstore.c
@@ -261,9 +261,23 @@ static void check_and_store_certs(HCERTSTORE from, HCERTSTORE to)
"chain creation failed");
else
{
- /* The only allowed error is CERT_TRUST_IS_UNTRUSTED_ROOT */
- if (chain->TrustStatus.dwErrorStatus &
- ~CERT_TRUST_IS_UNTRUSTED_ROOT)
+ DWORD allowedErrors = CERT_TRUST_IS_UNTRUSTED_ROOT |
+ CERT_TRUST_IS_NOT_VALID_FOR_USAGE |
+ CERT_TRUST_INVALID_BASIC_CONSTRAINTS |
+ CERT_TRUST_IS_NOT_TIME_VALID;
+
+ /* The certificate chain verification only allows certain
+ * invalid CA certs if they're installed locally: CA
+ * certs missing the key usage extension, and CA certs
+ * missing the basic constraints extension. Of course
+ * there's a chicken and egg problem: we have to accept
+ * them here in order for them to be accepted later.
+ * Expired, locally installed certs are also allowed here,
+ * because we don't know (yet) what date will be checked
+ * for an item signed by one of these certs.
+ * Thus, accept certs with any of the allowed errors.
+ */
+ if (chain->TrustStatus.dwErrorStatus & ~allowedErrors)
TRACE("rejecting %s: %s\n", get_cert_common_name(cert),
trust_status_to_str(chain->TrustStatus.dwErrorStatus &
~CERT_TRUST_IS_UNTRUSTED_ROOT));
More information about the wine-cvs
mailing list