crypt32: Allow errors in locally installed root certs.

2009-10-30 14:09:57 -07:00 · 2009-10-30 14:09:57 -07:00 · 16036dd27a
parent d6795bd908
commit 16036dd27a
1 changed files with 17 additions and 3 deletions
--- a/dlls/crypt32/rootstore.c
+++ b/dlls/crypt32/rootstore.c
@ -261,9 +261,23 @@ static void check_and_store_certs(HCERTSTORE from, HCERTSTORE to)
                     "chain creation failed");
                else
                {
-                    /* The only allowed error is CERT_TRUST_IS_UNTRUSTED_ROOT */
-                    if (chain->TrustStatus.dwErrorStatus &
-                     ~CERT_TRUST_IS_UNTRUSTED_ROOT)
+                    DWORD allowedErrors = CERT_TRUST_IS_UNTRUSTED_ROOT |
+                     CERT_TRUST_IS_NOT_VALID_FOR_USAGE |
+                     CERT_TRUST_INVALID_BASIC_CONSTRAINTS |
+                     CERT_TRUST_IS_NOT_TIME_VALID;
+
+                    /* The certificate chain verification only allows certain
+                     * invalid CA certs if they're installed locally:  CA
+                     * certs missing the key usage extension, and CA certs
+                     * missing the basic constraints extension.  Of course
+                     * there's a chicken and egg problem:  we have to accept
+                     * them here in order for them to be accepted later.
+                     * Expired, locally installed certs are also allowed here,
+                     * because we don't know (yet) what date will be checked
+                     * for an item signed by one of these certs.
+                     * Thus, accept certs with any of the allowed errors.
+                     */
+                    if (chain->TrustStatus.dwErrorStatus & ~allowedErrors)
                        TRACE("rejecting %s: %s\n", get_cert_common_name(cert),
                         trust_status_to_str(chain->TrustStatus.dwErrorStatus &
                         ~CERT_TRUST_IS_UNTRUSTED_ROOT));