wintrust: Check that the end certificate in the chain isn't disallowed to match native behavior.
This commit is contained in:
parent
2844cb5a65
commit
036128842a
|
@ -783,6 +783,38 @@ HRESULT WINAPI SoftpubAuthenticode(CRYPT_PROVIDER_DATA *data)
|
|||
|
||||
ret = TRUE;
|
||||
for (i = 0; ret && i < data->csSigners; i++)
|
||||
{
|
||||
BYTE hash[20];
|
||||
DWORD size = sizeof(hash);
|
||||
|
||||
/* First make sure cert isn't disallowed */
|
||||
if ((ret = CertGetCertificateContextProperty(
|
||||
data->pasSigners[i].pasCertChain[0].pCert,
|
||||
CERT_SIGNATURE_HASH_PROP_ID, hash, &size)))
|
||||
{
|
||||
static const WCHAR disallowedW[] =
|
||||
{ 'D','i','s','a','l','l','o','w','e','d',0 };
|
||||
HCERTSTORE disallowed = CertOpenStore(CERT_STORE_PROV_SYSTEM_W,
|
||||
X509_ASN_ENCODING, 0, CERT_SYSTEM_STORE_CURRENT_USER,
|
||||
disallowedW);
|
||||
|
||||
if (disallowed)
|
||||
{
|
||||
PCCERT_CONTEXT found = CertFindCertificateInStore(
|
||||
disallowed, X509_ASN_ENCODING, 0, CERT_FIND_SIGNATURE_HASH,
|
||||
hash, NULL);
|
||||
|
||||
if (found)
|
||||
{
|
||||
/* Disallowed! Can't verify it. */
|
||||
policyStatus.dwError = TRUST_E_SUBJECT_NOT_TRUSTED;
|
||||
ret = FALSE;
|
||||
CertFreeCertificateContext(found);
|
||||
}
|
||||
CertCloseStore(disallowed, 0);
|
||||
}
|
||||
}
|
||||
if (ret)
|
||||
{
|
||||
CERT_CHAIN_POLICY_PARA policyPara = { sizeof(policyPara), 0 };
|
||||
|
||||
|
@ -807,6 +839,7 @@ HRESULT WINAPI SoftpubAuthenticode(CRYPT_PROVIDER_DATA *data)
|
|||
ret = FALSE;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!ret)
|
||||
data->padwTrustStepErrors[TRUSTERROR_STEP_FINAL_POLICYPROV] =
|
||||
policyStatus.dwError;
|
||||
|
|
Loading…
Reference in New Issue