Juan Lang : crypt32: Accept CA certificates without a key usage extension.
Alexandre Julliard
julliard at winehq.org
Tue Apr 5 11:23:30 CDT 2011
Module: wine
Branch: master
Commit: 7871a9f85880e3bbe74d6b9ed614719210e0bfba
URL: http://source.winehq.org/git/wine.git/?a=commit;h=7871a9f85880e3bbe74d6b9ed614719210e0bfba
Author: Juan Lang <juan.lang at gmail.com>
Date: Mon Apr 4 09:03:28 2011 -0700
crypt32: Accept CA certificates without a key usage extension.
---
dlls/crypt32/chain.c | 26 +++++---------------------
1 files changed, 5 insertions(+), 21 deletions(-)
diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index ca76cef..8af49f4 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -1760,28 +1760,12 @@ static BOOL CRYPT_KeyUsageValid(PCertificateChainEngine engine,
* extensions as CA certs. V1 and V2 certificates did not have
* extensions, and many root certificates are V1 certificates, so
* perhaps this is prudent. On the other hand, MS also accepts V3
- * certs without key usage extensions. We are more restrictive:
- * we accept locally installed V1 or V2 certs as CA certs.
- * We also accept a lack of key usage extension on root certs,
- * which is implied in RFC 5280, section 6.1: the trust anchor's
- * only requirement is that it was used to issue the next
- * certificate in the chain.
+ * certs without key usage extensions. Because some CAs, e.g.
+ * Certum, also do not include key usage extensions in their
+ * intermediate certificates, we are forced to accept V3
+ * certificates without key usage extensions as well.
*/
- if (isRoot)
- ret = TRUE;
- else if (cert->pCertInfo->dwVersion == CERT_V1 ||
- cert->pCertInfo->dwVersion == CERT_V2)
- {
- PCCERT_CONTEXT localCert = CRYPT_FindCertInStore(
- engine->hWorld, cert);
-
- ret = localCert != NULL;
- CertFreeCertificateContext(localCert);
- }
- else
- ret = FALSE;
- if (!ret)
- WARN_(chain)("no key usage extension on a CA cert\n");
+ ret = TRUE;
}
else
{
More information about the wine-cvs
mailing list