crypt32(15/17): Defer checking signatures until chain is complete

Thu Sep 6 12:09:57 CDT 2007

--Juan
-------------- next part --------------
From e97995931fd3f452b76d1fcb7ad0d4eb8a919ecb Mon Sep 17 00:00:00 2001
From: Juan Lang <juan.lang at gmail.com>
Date: Thu, 6 Sep 2007 10:02:11 -0700
Subject: [PATCH] Defer checking signatures until chain is complete
---
 dlls/crypt32/chain.c |   23 +++++++++++------------
 1 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 4cf74a6..98b69b9 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -252,16 +252,6 @@ static inline BOOL CRYPT_IsSimpleChainCy
         return FALSE;
 }
 
-/* Gets cert's issuer from store, and returns the validity flags associated
- * with it.  Returns NULL if no issuer signature could be found.
- */
-static PCCERT_CONTEXT CRYPT_GetIssuerFromStore(HCERTSTORE store,
- PCCERT_CONTEXT cert, PDWORD pdwFlags)
-{
-    *pdwFlags = CERT_STORE_SIGNATURE_FLAG;
-    return CertGetIssuerCertificateFromStore(store, cert, NULL, pdwFlags);
-}
-
 static inline void CRYPT_CombineTrustStatus(CERT_TRUST_STATUS *chainStatus,
  CERT_TRUST_STATUS *elementStatus)
 {
@@ -482,6 +472,14 @@ static void CRYPT_CheckSimpleChain(PCert
              CERT_TRUST_IS_NOT_TIME_VALID;
         if (i != 0)
         {
+            /* Check the signature of the cert this issued */
+            if (!CryptVerifyCertificateSignatureEx(0, X509_ASN_ENCODING,
+             CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT,
+             (void *)chain->rgpElement[i - 1]->pCertContext,
+             CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT,
+             (void *)chain->rgpElement[i]->pCertContext, 0, NULL))
+                chain->rgpElement[i - 1]->TrustStatus.dwErrorStatus |=
+                 CERT_TRUST_IS_NOT_SIGNATURE_VALID;
             /* Once a path length constraint has been violated, every remaining
              * CA cert's basic constraints is considered invalid.
              */
@@ -525,8 +523,9 @@ static BOOL CRYPT_BuildSimpleChain(PCert
     while (ret && !CRYPT_IsSimpleChainCyclic(chain) &&
      !CRYPT_IsCertificateSelfSigned(cert))
     {
-        DWORD flags;
-        PCCERT_CONTEXT issuer = CRYPT_GetIssuerFromStore(world, cert, &flags);
+        DWORD flags = 0;
+        PCCERT_CONTEXT issuer =
+         CertGetIssuerCertificateFromStore(world, cert, NULL, &flags);
 
         if (issuer)
         {
-- 
1.4.1
