crypt32: Handle CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG when verifying chain policy.

Signed-off-by: Piotr Caban <piotr@codeweavers.com> Signed-off-by: Alexandre Julliard <julliard@winehq.org>
2021-04-15 17:25:13 +02:00 · 2021-04-15 17:25:13 +02:00 · 6ac02c0cac
parent be3f6c87a0
commit 6ac02c0cac
2 changed files with 6 additions and 4 deletions
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@ -3027,7 +3027,8 @@ static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
         &pPolicyStatus->lElementIndex);
    }
    if (!pPolicyStatus->dwError &&
-     pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_NOT_TIME_VALID)
+     pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_NOT_TIME_VALID &&
+     !(checks & CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG))
    {
        pPolicyStatus->dwError = CERT_E_EXPIRED;
        find_element_with_error(pChainContext,
@ -3492,7 +3493,8 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
    }
    else if (pChainContext->TrustStatus.dwErrorStatus &
     CERT_TRUST_IS_NOT_TIME_VALID &&
-     !(checks & SECURITY_FLAG_IGNORE_CERT_DATE_INVALID))
+     !(checks & SECURITY_FLAG_IGNORE_CERT_DATE_INVALID) &&
+     !(baseChecks & CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG))
    {
        pPolicyStatus->dwError = CERT_E_EXPIRED;
        find_element_with_error(pChainContext,
--- a/dlls/crypt32/tests/chain.c
+++ b/dlls/crypt32/tests/chain.c
@ -4741,12 +4741,12 @@ static const CERT_CHAIN_POLICY_STATUS badDateNestingStatus =

 static const ChainPolicyCheck ignoredBadDateNestingBasePolicyCheck = {
 { ARRAY_SIZE(chain2), chain2 },
- { 0, 0, -1, -1, NULL}, NULL, TODO_ERROR
+ { 0, 0, -1, -1, NULL}, NULL, 0
 };

 static const ChainPolicyCheck ignoredInvalidDateBasePolicyCheck = {
 { ARRAY_SIZE(googleChain), googleChain },
- { 0, 0, -1, -1, NULL}, NULL, TODO_ERROR
+ { 0, 0, -1, -1, NULL}, NULL, 0
 };

 static const ChainPolicyCheck ignoredInvalidUsageBasePolicyCheck = {