ReceiveTempSMS
/
Sweden-Number
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

crypt32: Accept CA certificates without a key usage extension.

This commit is contained in:
Juan Lang 2011-04-04 09:03:28 -07:00 committed by Alexandre Julliard
parent b372faec3c
commit 7871a9f858
1 changed files with 5 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
dlls/crypt32/chain.c
View File

@ -1760,28 +1760,12 @@ static BOOL CRYPT_KeyUsageValid(PCertificateChainEngine engine,
* extensions as CA certs. V1 and V2 certificates did not have * extensions as CA certs. V1 and V2 certificates did not have
* extensions, and many root certificates are V1 certificates, so * extensions, and many root certificates are V1 certificates, so
* perhaps this is prudent. On the other hand, MS also accepts V3 * perhaps this is prudent. On the other hand, MS also accepts V3
* certs without key usage extensions. We are more restrictive: * certs without key usage extensions. Because some CAs, e.g.
* we accept locally installed V1 or V2 certs as CA certs. * Certum, also do not include key usage extensions in their
* We also accept a lack of key usage extension on root certs, * intermediate certificates, we are forced to accept V3
* which is implied in RFC 5280, section 6.1: the trust anchor's * certificates without key usage extensions as well.
* only requirement is that it was used to issue the next
* certificate in the chain.
*/ */
if (isRoot)
ret = TRUE; ret = TRUE;
else if (cert->pCertInfo->dwVersion == CERT_V1 ||
cert->pCertInfo->dwVersion == CERT_V2)
{
PCCERT_CONTEXT localCert = CRYPT_FindCertInStore(
engine->hWorld, cert);
ret = localCert != NULL;
CertFreeCertificateContext(localCert);
}
else
ret = FALSE;
if (!ret)
WARN_(chain)("no key usage extension on a CA cert\n");
} }
else else
{ {