cryptnet: Make sure an issuer certificate can sign CRLs before looking for a CRL.

2009-12-02 16:24:48 -08:00 · 2009-12-02 16:24:48 -08:00 · 0bfb7951a4
commit 0bfb7951a4
parent 6b78e24a09
1 changed files with 43 additions and 7 deletions
--- a/dlls/cryptnet/cryptnet_main.c
+++ b/dlls/cryptnet/cryptnet_main.c
@ -1584,15 +1584,51 @@ static DWORD verify_cert_revocation(PCCERT_CONTEXT cert, DWORD index,
    {
        if (pRevPara && pRevPara->hCrlStore && pRevPara->pIssuerCert)
        {
-            PCCRL_CONTEXT crl;
+            PCERT_EXTENSION ext;
            PCCRL_CONTEXT crl = NULL;
            BOOL canSignCRLs;
-            /* If the caller was helpful enough to tell us where to find a CRL
+            /* If the caller told us about the issuer, make sure the issuer
-             * for the cert, look for one and check it.
+             * can sign CRLs before looking for one.
             */
-            crl = CertFindCRLInStore(pRevPara->hCrlStore,
+            if ((ext = CertFindExtension(szOID_KEY_USAGE,
-             cert->dwCertEncodingType,
+             pRevPara->pIssuerCert->pCertInfo->cExtension,
-             CRL_FIND_ISSUED_BY_SIGNATURE_FLAG | CRL_FIND_ISSUED_BY_AKI_FLAG,
+             pRevPara->pIssuerCert->pCertInfo->rgExtension)))
-             CRL_FIND_ISSUED_BY, pRevPara->pIssuerCert, NULL);
+            {
                CRYPT_BIT_BLOB usage;
                DWORD size = sizeof(usage);
                if (!CryptDecodeObjectEx(cert->dwCertEncodingType, X509_BITS,
                 ext->Value.pbData, ext->Value.cbData,
                 CRYPT_DECODE_NOCOPY_FLAG, NULL, &usage, &size))
                    canSignCRLs = FALSE;
                else if (usage.cbData > 2)
                {
                    /* The key usage extension only defines 9 bits => no more
                     * than 2 bytes are needed to encode all known usages.
                     */
                    canSignCRLs = FALSE;
                }
                else
                {
                    BYTE usageBits = usage.pbData[usage.cbData - 1];
                    canSignCRLs = usageBits & CERT_CRL_SIGN_KEY_USAGE;
                }
            }
            else
                canSignCRLs = TRUE;
            if (canSignCRLs)
            {
                /* If the caller was helpful enough to tell us where to find a
                 * CRL for the cert, look for one and check it.
                 */
                crl = CertFindCRLInStore(pRevPara->hCrlStore,
                 cert->dwCertEncodingType,
                 CRL_FIND_ISSUED_BY_SIGNATURE_FLAG |
                 CRL_FIND_ISSUED_BY_AKI_FLAG,
                 CRL_FIND_ISSUED_BY, pRevPara->pIssuerCert, NULL);
            }
            if (crl)
            {
                error = verify_cert_revocation_with_crl(cert, crl, index,