crypt32: Add basic constraints to chain quality selection algorithm.

dlls/crypt32/chain.c

@@ -1704,14 +1704,16 @@ static PCertificateChain CRYPT_BuildAlternateContextFromChain(
     return alternate;
 }
 
-#define CHAIN_QUALITY_SIGNATURE_VALID 8
+#define CHAIN_QUALITY_SIGNATURE_VALID   0x16
-#define CHAIN_QUALITY_TIME_VALID      4
+#define CHAIN_QUALITY_TIME_VALID        8
-#define CHAIN_QUALITY_COMPLETE_CHAIN  2
+#define CHAIN_QUALITY_COMPLETE_CHAIN    4
-#define CHAIN_QUALITY_TRUSTED_ROOT    1
+#define CHAIN_QUALITY_BASIC_CONSTRAINTS 2
+#define CHAIN_QUALITY_TRUSTED_ROOT      1
 
 #define CHAIN_QUALITY_HIGHEST \
  CHAIN_QUALITY_SIGNATURE_VALID | CHAIN_QUALITY_TIME_VALID | \
- CHAIN_QUALITY_COMPLETE_CHAIN | CHAIN_QUALITY_TRUSTED_ROOT
+ CHAIN_QUALITY_COMPLETE_CHAIN | CHAIN_QUALITY_BASIC_CONSTRAINTS | \
+ CHAIN_QUALITY_TRUSTED_ROOT
 
 #define IS_TRUST_ERROR_SET(TrustStatus, bits) \
  (TrustStatus)->dwErrorStatus & (bits)
@@ -1723,6 +1725,9 @@ static DWORD CRYPT_ChainQuality(const CertificateChain *chain)
     if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
      CERT_TRUST_IS_UNTRUSTED_ROOT))
         quality &= ~CHAIN_QUALITY_TRUSTED_ROOT;
+    if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
+     CERT_TRUST_INVALID_BASIC_CONSTRAINTS))
+        quality &= ~CHAIN_QUALITY_BASIC_CONSTRAINTS;
     if (IS_TRUST_ERROR_SET(&chain->context.TrustStatus,
      CERT_TRUST_IS_PARTIAL_CHAIN))
         quality &= ~CHAIN_QUALITY_COMPLETE_CHAIN;