Juan Lang : crypt32: Add a safe default for unsupported critical extensions .
Alexandre Julliard
julliard at winehq.org
Tue Oct 20 10:33:34 CDT 2009
Module: wine
Branch: master
Commit: 87405ade02bfe5c815ae32d16453436d4e0c6e76
URL: http://source.winehq.org/git/wine.git/?a=commit;h=87405ade02bfe5c815ae32d16453436d4e0c6e76
Author: Juan Lang <juan.lang at gmail.com>
Date: Mon Oct 19 09:04:51 2009 -0700
crypt32: Add a safe default for unsupported critical extensions.
---
dlls/crypt32/chain.c | 43 +++++++++++++++++++++++++++++++++++++++++++
1 files changed, 43 insertions(+), 0 deletions(-)
diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index fa9fdf0..c9f7618 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -814,6 +814,44 @@ static void dump_element(PCCERT_CONTEXT cert)
dump_extension(&cert->pCertInfo->rgExtension[i]);
}
+static BOOL CRYPT_CriticalExtensionsSupported(PCCERT_CONTEXT cert)
+{
+ BOOL ret = TRUE;
+ DWORD i;
+
+ for (i = 0; ret && i < cert->pCertInfo->cExtension; i++)
+ {
+ if (cert->pCertInfo->rgExtension[i].fCritical)
+ {
+ LPCSTR oid = cert->pCertInfo->rgExtension[i].pszObjId;
+
+ if (!strcmp(oid, szOID_BASIC_CONSTRAINTS))
+ ret = TRUE;
+ else if (!strcmp(oid, szOID_BASIC_CONSTRAINTS2))
+ ret = TRUE;
+ else if (!strcmp(oid, szOID_NAME_CONSTRAINTS))
+ ret = TRUE;
+ else if (!strcmp(oid, szOID_KEY_USAGE))
+ {
+ static int warned;
+
+ if (!warned++)
+ FIXME("key usage extension unsupported, ignoring\n");
+ ret = TRUE;
+ }
+ else if (!strcmp(oid, szOID_SUBJECT_ALT_NAME))
+ ret = TRUE;
+ else
+ {
+ FIXME("unsupported critical extension %s\n",
+ debugstr_a(oid));
+ ret = FALSE;
+ }
+ }
+ }
+ return ret;
+}
+
static void CRYPT_CheckSimpleChain(PCertificateChainEngine engine,
PCERT_SIMPLE_CHAIN chain, LPFILETIME time)
{
@@ -878,6 +916,11 @@ static void CRYPT_CheckSimpleChain(PCertificateChainEngine engine,
CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
}
/* FIXME: check valid usages */
+ /* Check whether every critical extension is supported */
+ if (!CRYPT_CriticalExtensionsSupported(
+ chain->rgpElement[i]->pCertContext))
+ chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
+ CERT_TRUST_INVALID_EXTENSION;
CRYPT_CombineTrustStatus(&chain->TrustStatus,
&chain->rgpElement[i]->TrustStatus);
}
More information about the wine-cvs
mailing list