crypt32: Improve error checking for the base policy.
This commit is contained in:
parent
c4c70b608c
commit
966d722752
|
@ -2904,7 +2904,12 @@ static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
|
|||
PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
|
||||
PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
|
||||
{
|
||||
DWORD checks = 0;
|
||||
|
||||
if (pPolicyPara)
|
||||
checks = pPolicyPara->dwFlags;
|
||||
pPolicyStatus->lChainIndex = pPolicyStatus->lElementIndex = -1;
|
||||
pPolicyStatus->dwError = NO_ERROR;
|
||||
if (pChainContext->TrustStatus.dwErrorStatus &
|
||||
CERT_TRUST_IS_NOT_SIGNATURE_VALID)
|
||||
{
|
||||
|
@ -2913,14 +2918,6 @@ static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
|
|||
CERT_TRUST_IS_NOT_SIGNATURE_VALID, &pPolicyStatus->lChainIndex,
|
||||
&pPolicyStatus->lElementIndex);
|
||||
}
|
||||
else if (pChainContext->TrustStatus.dwErrorStatus &
|
||||
CERT_TRUST_IS_UNTRUSTED_ROOT)
|
||||
{
|
||||
pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
|
||||
find_element_with_error(pChainContext,
|
||||
CERT_TRUST_IS_UNTRUSTED_ROOT, &pPolicyStatus->lChainIndex,
|
||||
&pPolicyStatus->lElementIndex);
|
||||
}
|
||||
else if (pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_CYCLIC)
|
||||
{
|
||||
pPolicyStatus->dwError = CERT_E_CHAINING;
|
||||
|
@ -2929,8 +2926,33 @@ static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
|
|||
/* For a cyclic chain, which element is a cycle isn't meaningful */
|
||||
pPolicyStatus->lElementIndex = -1;
|
||||
}
|
||||
else
|
||||
pPolicyStatus->dwError = NO_ERROR;
|
||||
if (!pPolicyStatus->dwError &&
|
||||
pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_UNTRUSTED_ROOT &&
|
||||
!(checks & CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG))
|
||||
{
|
||||
pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
|
||||
find_element_with_error(pChainContext,
|
||||
CERT_TRUST_IS_UNTRUSTED_ROOT, &pPolicyStatus->lChainIndex,
|
||||
&pPolicyStatus->lElementIndex);
|
||||
}
|
||||
if (!pPolicyStatus->dwError &&
|
||||
pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_NOT_TIME_VALID)
|
||||
{
|
||||
pPolicyStatus->dwError = CERT_E_EXPIRED;
|
||||
find_element_with_error(pChainContext,
|
||||
CERT_TRUST_IS_NOT_TIME_VALID, &pPolicyStatus->lChainIndex,
|
||||
&pPolicyStatus->lElementIndex);
|
||||
}
|
||||
if (!pPolicyStatus->dwError &&
|
||||
pChainContext->TrustStatus.dwErrorStatus &
|
||||
CERT_TRUST_IS_NOT_VALID_FOR_USAGE &&
|
||||
!(checks & CERT_CHAIN_POLICY_IGNORE_WRONG_USAGE_FLAG))
|
||||
{
|
||||
pPolicyStatus->dwError = CERT_E_WRONG_USAGE;
|
||||
find_element_with_error(pChainContext,
|
||||
CERT_TRUST_IS_NOT_VALID_FOR_USAGE, &pPolicyStatus->lChainIndex,
|
||||
&pPolicyStatus->lElementIndex);
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
|
|
@ -3745,11 +3745,6 @@ static const ChainPolicyCheck basePolicyCheck[] = {
|
|||
{ 0, CERT_E_UNTRUSTEDROOT, 0, 0, NULL }, NULL, 0 },
|
||||
};
|
||||
|
||||
static const ChainPolicyCheck ignoredUnknownCABasePolicyCheck = {
|
||||
{ sizeof(chain0) / sizeof(chain0[0]), chain0 },
|
||||
{ 0, CERT_E_EXPIRED, 0, 0, NULL }, NULL, TODO_ERROR
|
||||
};
|
||||
|
||||
/* Windows NT 4 has a different error code when the validity period doesn't
|
||||
* nest. (It's arguably more correct than other Windows versions, but since
|
||||
* others do not emulate its behavior, we mark its behavior broken.)
|
||||
|
@ -3759,12 +3754,12 @@ static const CERT_CHAIN_POLICY_STATUS badDateNestingStatus =
|
|||
|
||||
static const ChainPolicyCheck ignoredBadDateNestingBasePolicyCheck = {
|
||||
{ sizeof(chain2) / sizeof(chain2[0]), chain2 },
|
||||
{ 0, CERT_E_EXPIRED, 0, 1, NULL}, &badDateNestingStatus, TODO_ERROR
|
||||
{ 0, CERT_E_EXPIRED, 0, 1, NULL}, &badDateNestingStatus, TODO_ELEMENTS
|
||||
};
|
||||
|
||||
static const ChainPolicyCheck ignoredInvalidDateBasePolicyCheck = {
|
||||
{ sizeof(googleChain) / sizeof(googleChain[0]), googleChain },
|
||||
{ 0, CERT_E_EXPIRED, 0, 1, NULL}, NULL, TODO_ERROR
|
||||
{ 0, CERT_E_EXPIRED, 0, 1, NULL}, NULL, TODO_ELEMENTS
|
||||
};
|
||||
|
||||
static const ChainPolicyCheck ignoredInvalidUsageBasePolicyCheck = {
|
||||
|
@ -3774,7 +3769,7 @@ static const ChainPolicyCheck ignoredInvalidUsageBasePolicyCheck = {
|
|||
|
||||
static const ChainPolicyCheck invalidUsageBasePolicyCheck = {
|
||||
{ sizeof(chain15) / sizeof(chain15[0]), chain15 },
|
||||
{ 0, CERT_E_WRONG_USAGE, 0, 1, NULL}, NULL, TODO_ERROR
|
||||
{ 0, CERT_E_WRONG_USAGE, 0, 1, NULL}, NULL, 0
|
||||
};
|
||||
|
||||
static const ChainPolicyCheck sslPolicyCheck[] = {
|
||||
|
@ -4083,7 +4078,7 @@ static void check_base_policy(void)
|
|||
policyPara.cbSize = sizeof(policyPara);
|
||||
policyPara.dwFlags = CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG;
|
||||
checkChainPolicyStatus(CERT_CHAIN_POLICY_BASE, NULL,
|
||||
&ignoredUnknownCABasePolicyCheck, 0, &oct2007, &policyPara);
|
||||
&ignoredUnknownCAPolicyCheck, 0, &oct2007, &policyPara);
|
||||
policyPara.dwFlags = CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG |
|
||||
CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG;
|
||||
checkChainPolicyStatus(CERT_CHAIN_POLICY_BASE, NULL,
|
||||
|
|
Loading…
Reference in New Issue