crypt32: Add basic constraints to chain quality selection algorithm.

2009-10-28 16:50:33 -07:00 · 2009-10-28 16:50:33 -07:00 · 552fec4002
parent c310637f4f
commit 552fec4002
1 changed files with 10 additions and 5 deletions
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@ -1704,14 +1704,16 @@ static PCertificateChain CRYPT_BuildAlternateContextFromChain(
    return alternate;
 }

-#define CHAIN_QUALITY_SIGNATURE_VALID 8
-#define CHAIN_QUALITY_TIME_VALID      4
-#define CHAIN_QUALITY_COMPLETE_CHAIN  2
-#define CHAIN_QUALITY_TRUSTED_ROOT    1
+#define CHAIN_QUALITY_SIGNATURE_VALID   0x16
+#define CHAIN_QUALITY_TIME_VALID        8
+#define CHAIN_QUALITY_COMPLETE_CHAIN    4
+#define CHAIN_QUALITY_BASIC_CONSTRAINTS 2
+#define CHAIN_QUALITY_TRUSTED_ROOT      1

 #define CHAIN_QUALITY_HIGHEST \
 CHAIN_QUALITY_SIGNATURE_VALID | CHAIN_QUALITY_TIME_VALID | \
- CHAIN_QUALITY_COMPLETE_CHAIN | CHAIN_QUALITY_TRUSTED_ROOT
+ CHAIN_QUALITY_COMPLETE_CHAIN | CHAIN_QUALITY_BASIC_CONSTRAINTS | \
+ CHAIN_QUALITY_TRUSTED_ROOT

 #define IS_TRUST_ERROR_SET(TrustStatus, bits) \
 (TrustStatus)->dwErrorStatus & (bits)
@ -1723,6 +1725,9 @@ static DWORD CRYPT_ChainQuality(const CertificateChain *chain)
    if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
     CERT_TRUST_IS_UNTRUSTED_ROOT))
        quality &= ~CHAIN_QUALITY_TRUSTED_ROOT;
+    if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
+     CERT_TRUST_INVALID_BASIC_CONSTRAINTS))
+        quality &= ~CHAIN_QUALITY_BASIC_CONSTRAINTS;
    if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
     CERT_TRUST_IS_PARTIAL_CHAIN))
        quality &= ~CHAIN_QUALITY_COMPLETE_CHAIN;