crypt32: Check basic constraints extension for end certs too.

2009-10-20 18:00:45 -07:00 · 2009-10-20 18:00:45 -07:00 · f348e3feb7
parent 77fe22b226
commit f348e3feb7
1 changed files with 8 additions and 0 deletions
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@ -905,6 +905,14 @@ static void CRYPT_CheckSimpleChain(PCertificateChainEngine engine,
                constraints.dwPathLenConstraint--;
            }
        }
+        else
+        {
+            /* Check whether end cert has a basic constraints extension */
+            if (!CRYPT_DecodeBasicConstraints(
+             chain->rgpElement[i]->pCertContext, &constraints, FALSE))
+                chain->rgpElement[i]->TrustStatus.dwErrorStatus |=
+                 CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
+        }
        if (CRYPT_IsSimpleChainCyclic(chain))
        {
            /* If the chain is cyclic, then the path length constraints