Juan Lang : crypt32: Improve error checking for the base policy.
Alexandre Julliard
julliard at winehq.org
Wed Oct 6 14:04:15 CDT 2010
Module: wine
Branch: master
Commit: 966d722752b659a12ffa355a1e559f94907cd66d
URL: http://source.winehq.org/git/wine.git/?a=commit;h=966d722752b659a12ffa355a1e559f94907cd66d
Author: Juan Lang <juan.lang at gmail.com>
Date: Mon Oct 4 18:16:16 2010 -0700
crypt32: Improve error checking for the base policy.
---
dlls/crypt32/chain.c | 42 ++++++++++++++++++++++++++++++++----------
dlls/crypt32/tests/chain.c | 13 ++++---------
2 files changed, 36 insertions(+), 19 deletions(-)
diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 4b6fdba..266e6ab 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -2904,7 +2904,12 @@ static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
{
+ DWORD checks = 0;
+
+ if (pPolicyPara)
+ checks = pPolicyPara->dwFlags;
pPolicyStatus->lChainIndex = pPolicyStatus->lElementIndex = -1;
+ pPolicyStatus->dwError = NO_ERROR;
if (pChainContext->TrustStatus.dwErrorStatus &
CERT_TRUST_IS_NOT_SIGNATURE_VALID)
{
@@ -2913,14 +2918,6 @@ static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
CERT_TRUST_IS_NOT_SIGNATURE_VALID, &pPolicyStatus->lChainIndex,
&pPolicyStatus->lElementIndex);
}
- else if (pChainContext->TrustStatus.dwErrorStatus &
- CERT_TRUST_IS_UNTRUSTED_ROOT)
- {
- pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
- find_element_with_error(pChainContext,
- CERT_TRUST_IS_UNTRUSTED_ROOT, &pPolicyStatus->lChainIndex,
- &pPolicyStatus->lElementIndex);
- }
else if (pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_CYCLIC)
{
pPolicyStatus->dwError = CERT_E_CHAINING;
@@ -2929,8 +2926,33 @@ static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
/* For a cyclic chain, which element is a cycle isn't meaningful */
pPolicyStatus->lElementIndex = -1;
}
- else
- pPolicyStatus->dwError = NO_ERROR;
+ if (!pPolicyStatus->dwError &&
+ pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_UNTRUSTED_ROOT &&
+ !(checks & CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG))
+ {
+ pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
+ find_element_with_error(pChainContext,
+ CERT_TRUST_IS_UNTRUSTED_ROOT, &pPolicyStatus->lChainIndex,
+ &pPolicyStatus->lElementIndex);
+ }
+ if (!pPolicyStatus->dwError &&
+ pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_NOT_TIME_VALID)
+ {
+ pPolicyStatus->dwError = CERT_E_EXPIRED;
+ find_element_with_error(pChainContext,
+ CERT_TRUST_IS_NOT_TIME_VALID, &pPolicyStatus->lChainIndex,
+ &pPolicyStatus->lElementIndex);
+ }
+ if (!pPolicyStatus->dwError &&
+ pChainContext->TrustStatus.dwErrorStatus &
+ CERT_TRUST_IS_NOT_VALID_FOR_USAGE &&
+ !(checks & CERT_CHAIN_POLICY_IGNORE_WRONG_USAGE_FLAG))
+ {
+ pPolicyStatus->dwError = CERT_E_WRONG_USAGE;
+ find_element_with_error(pChainContext,
+ CERT_TRUST_IS_NOT_VALID_FOR_USAGE, &pPolicyStatus->lChainIndex,
+ &pPolicyStatus->lElementIndex);
+ }
return TRUE;
}
diff --git a/dlls/crypt32/tests/chain.c b/dlls/crypt32/tests/chain.c
index 5ee5050..9fe24b6 100644
--- a/dlls/crypt32/tests/chain.c
+++ b/dlls/crypt32/tests/chain.c
@@ -3745,11 +3745,6 @@ static const ChainPolicyCheck basePolicyCheck[] = {
{ 0, CERT_E_UNTRUSTEDROOT, 0, 0, NULL }, NULL, 0 },
};
-static const ChainPolicyCheck ignoredUnknownCABasePolicyCheck = {
- { sizeof(chain0) / sizeof(chain0[0]), chain0 },
- { 0, CERT_E_EXPIRED, 0, 0, NULL }, NULL, TODO_ERROR
-};
-
/* Windows NT 4 has a different error code when the validity period doesn't
* nest. (It's arguably more correct than other Windows versions, but since
* others do not emulate its behavior, we mark its behavior broken.)
@@ -3759,12 +3754,12 @@ static const CERT_CHAIN_POLICY_STATUS badDateNestingStatus =
static const ChainPolicyCheck ignoredBadDateNestingBasePolicyCheck = {
{ sizeof(chain2) / sizeof(chain2[0]), chain2 },
- { 0, CERT_E_EXPIRED, 0, 1, NULL}, &badDateNestingStatus, TODO_ERROR
+ { 0, CERT_E_EXPIRED, 0, 1, NULL}, &badDateNestingStatus, TODO_ELEMENTS
};
static const ChainPolicyCheck ignoredInvalidDateBasePolicyCheck = {
{ sizeof(googleChain) / sizeof(googleChain[0]), googleChain },
- { 0, CERT_E_EXPIRED, 0, 1, NULL}, NULL, TODO_ERROR
+ { 0, CERT_E_EXPIRED, 0, 1, NULL}, NULL, TODO_ELEMENTS
};
static const ChainPolicyCheck ignoredInvalidUsageBasePolicyCheck = {
@@ -3774,7 +3769,7 @@ static const ChainPolicyCheck ignoredInvalidUsageBasePolicyCheck = {
static const ChainPolicyCheck invalidUsageBasePolicyCheck = {
{ sizeof(chain15) / sizeof(chain15[0]), chain15 },
- { 0, CERT_E_WRONG_USAGE, 0, 1, NULL}, NULL, TODO_ERROR
+ { 0, CERT_E_WRONG_USAGE, 0, 1, NULL}, NULL, 0
};
static const ChainPolicyCheck sslPolicyCheck[] = {
@@ -4083,7 +4078,7 @@ static void check_base_policy(void)
policyPara.cbSize = sizeof(policyPara);
policyPara.dwFlags = CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG;
checkChainPolicyStatus(CERT_CHAIN_POLICY_BASE, NULL,
- &ignoredUnknownCABasePolicyCheck, 0, &oct2007, &policyPara);
+ &ignoredUnknownCAPolicyCheck, 0, &oct2007, &policyPara);
policyPara.dwFlags = CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG |
CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG;
checkChainPolicyStatus(CERT_CHAIN_POLICY_BASE, NULL,
More information about the wine-cvs
mailing list