Juan Lang
|
1a392e1a30
|
crypt32: Support checking the requested usage for a chain.
|
2009-11-21 14:31:44 +01:00 |
Juan Lang
|
30de103485
|
crypt32: Only trace a usage match if it's not empty.
|
2009-11-21 14:31:44 +01:00 |
Juan Lang
|
a3c6bc68c8
|
crypt32: Assume revocation server is offline if revocation status isn't known.
|
2009-11-20 11:14:52 +01:00 |
Juan Lang
|
9e1d31e5e5
|
crypt32: Fix a typo.
|
2009-11-20 11:14:47 +01:00 |
Juan Lang
|
96073d5129
|
crypt32: Remove an unnecessary test for the extended key usage extension in CA certificates.
|
2009-11-18 11:09:20 +01:00 |
Juan Lang
|
d6958d7660
|
crypt32: Trace reasons for name constraint failure.
|
2009-11-18 11:09:08 +01:00 |
Juan Lang
|
1db8a6abda
|
crypt32: Only fail directory name comparison if a directory name constraint is present and doesn't match.
|
2009-11-18 11:09:02 +01:00 |
Juan Lang
|
a63affe5e0
|
crypt32: Don't apply directory name constraints to an empty subject name.
|
2009-11-18 11:08:55 +01:00 |
Juan Lang
|
c464875a6d
|
crypt32: Accept a certificate if its name matches any permitted subtree of a name constraint.
|
2009-11-18 11:08:49 +01:00 |
Juan Lang
|
d6f7d06cad
|
crypt32: Check email address in subject name against rfc822 name constraints.
|
2009-11-18 11:08:44 +01:00 |
Juan Lang
|
e4c03521ac
|
crypt32: Apply name constraints to subject name.
|
2009-11-18 11:08:37 +01:00 |
Juan Lang
|
6f35ae25b8
|
crypt32: Use helper function to compare a subject alternate name with name constraints.
|
2009-11-18 11:08:32 +01:00 |
Juan Lang
|
a98dad4f93
|
crypt32: Only apply a name constraint if the name form is present.
|
2009-11-18 11:08:25 +01:00 |
Juan Lang
|
f6d3348b7c
|
crypt32: Partially implement checking name constraints with directory names.
|
2009-11-18 11:08:20 +01:00 |
Juan Lang
|
7c44544a6d
|
crypt32: Use helper functions to match excluded and permitted subtrees of name constraints.
|
2009-11-18 11:08:14 +01:00 |
Juan Lang
|
9a40de08de
|
crypt32: Let caller set error codes when name constraints aren't met.
|
2009-11-18 11:08:08 +01:00 |
Juan Lang
|
f8044948ba
|
crypt32: Remove an unnecessary if.
|
2009-11-18 11:08:01 +01:00 |
Juan Lang
|
8585203103
|
crypt32: Prohibit name constraints that contain neither an excluded nor a permitted subtree.
|
2009-11-18 11:07:53 +01:00 |
Juan Lang
|
1974e61b59
|
crypt32: Correctly match subdomains with dns name constraints.
|
2009-11-17 12:05:11 +01:00 |
Juan Lang
|
b74ef17efc
|
crypt32: If a hostname in a URI or rfc822 name constraint doesn't begin with '.', a match must be exact.
|
2009-11-17 12:05:04 +01:00 |
Juan Lang
|
e82005fe2d
|
crypt32: Only compare the hostname portion of a URL when checking against a name constraint.
|
2009-11-17 12:04:58 +01:00 |
Juan Lang
|
3c8a04f12f
|
crypt32: Include name constraints errors in the chain's error status.
|
2009-11-17 12:04:52 +01:00 |
Juan Lang
|
f9ad32f0ad
|
crypt32: Trace method used to find an issuer.
|
2009-11-17 12:04:46 +01:00 |
Juan Lang
|
f6c4824675
|
crypt32: Update a comment.
|
2009-11-16 11:34:04 +01:00 |
Juan Lang
|
c4b997bab3
|
crypt32: Set CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS when a certificate's name constraints are met.
|
2009-11-16 11:33:58 +01:00 |
Juan Lang
|
21ecc84620
|
crypt32: Accept any matching dNSName in a subject alternate name.
|
2009-11-13 11:52:25 +01:00 |
Juan Lang
|
b91d0c8bde
|
crypt32: Implement matching a certificate with a wildcard in its name.
|
2009-11-13 11:52:24 +01:00 |
Juan Lang
|
300d5fe5c4
|
crypt32: Correct error when a matching name constraint is found.
|
2009-11-11 10:55:44 +01:00 |
Juan Lang
|
bdbee82c42
|
crypt32: Trace cert version.
|
2009-11-11 10:54:38 +01:00 |
Juan Lang
|
7eb33b18da
|
crypt32: Update a comment to reflect a fixed vulnerability.
|
2009-11-11 10:53:56 +01:00 |
Juan Lang
|
ee02d43731
|
crypt32: Correct error when a constrained, permitted name type isn't found in the subject name.
|
2009-11-10 13:08:31 +01:00 |
Juan Lang
|
2503e9ec73
|
crypt32: Use helper function to find the subject alternate name extension wherever it's needed.
|
2009-11-10 13:08:26 +01:00 |
Juan Lang
|
ae6e884142
|
crypt32: Correct error when the subject alternate name can't be decoded.
|
2009-11-10 13:08:20 +01:00 |
Juan Lang
|
865f3df35b
|
crypt32: Check the issued certificate for name constraint violations, not the issuing certificate.
|
2009-11-10 13:08:14 +01:00 |
Juan Lang
|
216df7a714
|
crypt32: Reject certificates whose fields don't match their versions.
|
2009-11-10 13:07:07 +01:00 |
Juan Lang
|
9fe6be454f
|
crypt32: Forbid minimum or maximum fields in name constraints.
|
2009-11-10 13:07:00 +01:00 |
Juan Lang
|
5274777b1c
|
crypt32: Permit lack of basic constraints extension on root certificates.
|
2009-11-09 19:34:36 +01:00 |
Juan Lang
|
d94e4d315a
|
crypt32: Permit lack of key usage extension on root certificates.
This reverts 60770fb011 , although it
updates the comments to give a reason. Thanks to Matt Van Gundy for
pointing it out to me.
|
2009-11-09 19:34:32 +01:00 |
Juan Lang
|
d6795bd908
|
crypt32: Trace contents of CERT_CHAIN_PARA.
|
2009-11-03 21:17:34 +01:00 |
Juan Lang
|
9750d0f7f5
|
crypt32: Trace policy error status in CertVerifyCertificateChainPolicy.
|
2009-10-30 11:32:09 +01:00 |
Juan Lang
|
07b735682b
|
crypt32: Check CA certificates for the enhanced key usage extension.
|
2009-10-30 11:26:39 +01:00 |
Juan Lang
|
60770fb011
|
crypt32: Only permit v1 or v2 CA certificates without a key usage extension if they're installed locally.
|
2009-10-30 11:26:30 +01:00 |
Juan Lang
|
7b0297769d
|
crypt32: Use a helper function to find an existing cert by hash.
|
2009-10-30 11:26:21 +01:00 |
Juan Lang
|
33a6235053
|
crypt32: Only permit v1 or v2 CA certificates without a basic constraints extension if they're installed locally.
|
2009-10-30 11:26:06 +01:00 |
Juan Lang
|
552fec4002
|
crypt32: Add basic constraints to chain quality selection algorithm.
|
2009-10-30 11:24:23 +01:00 |
Juan Lang
|
c310637f4f
|
crypt32: Remove redundant if clause.
|
2009-10-30 11:24:10 +01:00 |
Juan Lang
|
9059892ec1
|
crypt32: Implement CertVerifyCertificateChainPolicy for CERT_CHAIN_POLICY_SSL.
|
2009-10-29 13:07:53 +01:00 |
Juan Lang
|
24399bd359
|
crypt32: Support IPv6 addresses in name constraint comparison.
|
2009-10-29 13:07:20 +01:00 |
Juan Lang
|
bcb4bc6be3
|
crypt32: Trace netscape cert type extension.
|
2009-10-29 13:07:14 +01:00 |
Juan Lang
|
d664edb322
|
crypt32: Trace directory name of alt name entries.
|
2009-10-29 13:07:08 +01:00 |
Juan Lang
|
6a575d697e
|
crypt32: Accept either the subject alt name 2 or subject alt name extensions, and prefer the former when both are present.
|
2009-10-29 13:06:56 +01:00 |
Juan Lang
|
1e953ef12e
|
crypt32: Trace the alt name extensions.
|
2009-10-29 13:06:49 +01:00 |
Juan Lang
|
bf42ce9c90
|
crypt32: Trace name constraints extension.
|
2009-10-29 13:06:42 +01:00 |
Juan Lang
|
777ea81c48
|
crypt32: Trace cert policies extension.
|
2009-10-29 13:06:35 +01:00 |
Juan Lang
|
994d7ed40d
|
crypt32: Trace enhanced key usage extension.
|
2009-10-29 13:06:25 +01:00 |
Juan Lang
|
cf9491a5a3
|
crypt32: Move tracing of key usage extension to common extension tracing location.
|
2009-10-26 11:16:54 +01:00 |
Juan Lang
|
7fa618aa8e
|
crypt32: Check key usage during chain validation.
|
2009-10-21 16:21:53 +02:00 |
Juan Lang
|
cbabc9d689
|
crypt32: Get CA flag from basic constraints extension of every cert in the chain.
|
2009-10-21 16:21:40 +02:00 |
Juan Lang
|
f348e3feb7
|
crypt32: Check basic constraints extension for end certs too.
|
2009-10-21 16:21:36 +02:00 |
Juan Lang
|
87405ade02
|
crypt32: Add a safe default for unsupported critical extensions.
|
2009-10-20 13:46:55 +02:00 |
Hans Leidekker
|
2f112cf5ee
|
crypt32: CertGetCertificateChain does not validate the size of the CERT_CHAIN_PARA structure.
|
2009-09-22 16:20:58 +02:00 |
Andrew Talbot
|
5a981c3a64
|
crypt32: Constify some variables.
|
2009-06-12 17:33:14 +02:00 |
Juan Lang
|
4817fbc362
|
crypt32: Avoid reading freed memory when encountering a cyclic chain.
|
2009-02-25 12:37:06 +01:00 |
Francois Gouget
|
443fdf2731
|
crypt32: Merge two traces.
|
2009-02-18 12:17:29 +01:00 |
Juan Lang
|
b5d1bfe5ba
|
crypt32: Set the info status on the last element of a chain even if its issuer can't be found.
|
2009-02-12 11:53:22 +01:00 |
Juan Lang
|
913affe4ef
|
crypt32: Don't assume intermediate certificates are allowed to be CAs.
|
2009-02-12 11:53:18 +01:00 |
Juan Lang
|
ad2ea9d9cf
|
crypt32: Change some traces to the chain channel.
|
2009-02-12 11:53:10 +01:00 |
Juan Lang
|
e7dd46b807
|
crypt32: Add chain debugging channel for debugging certificate chaining errors.
|
2009-02-12 11:53:01 +01:00 |
Michael Stefaniuc
|
4eaaa913f8
|
crypt32: Remove some more superfluous pointer casts.
|
2009-01-26 14:31:08 +01:00 |
Juan Lang
|
558057b4b2
|
crypt32: Fix chain error status when a cert's issuer can't be found.
|
2008-10-31 12:57:25 +01:00 |
Juan Lang
|
39a7d40413
|
crypt32: Fix frequency with which chains are checked for cycles.
|
2008-10-30 11:29:37 +01:00 |
Juan Lang
|
0556e9d966
|
crypt32: Correct trust error status for cyclic chains.
|
2008-10-23 12:13:25 +02:00 |
Juan Lang
|
eeec9bf349
|
crypt32: Correct another chain status discrepancy with Windows.
|
2008-10-17 20:17:11 +02:00 |
Juan Lang
|
25698f8938
|
crypt32: Microsoft fixed a bug with name constraints, so make Wine's behavior match.
|
2008-10-17 20:17:08 +02:00 |
Juan Lang
|
cb341f3717
|
crypt32: Fix error handling for cyclic chains.
|
2008-10-09 12:29:44 +02:00 |
Juan Lang
|
71e394fb89
|
crypt32: Fix typo. Fixes Coverity item 605.
|
2008-09-10 10:40:43 +02:00 |
Michael Karcher
|
0ed076ab5c
|
crypt32: Remove duplicate MS test root key.
|
2008-06-30 15:11:12 +02:00 |
Erik de Castro Lopo
|
0ef69ef9dd
|
crypt32: Use LOWORD on LPCSTR type instead of casting to int.
|
2008-04-25 11:34:53 +02:00 |
Andrew Talbot
|
70c4b66781
|
crypt32: Assign to structs instead of using memcpy.
|
2008-02-15 12:05:47 +01:00 |
Michael Stefaniuc
|
3e005ce915
|
crypt32: Do not use an empty body in an else-statement as documentation.
|
2007-12-10 12:35:56 +01:00 |
Juan Lang
|
329761e7e1
|
crypt32: Fix a leak building an alternate chain.
|
2007-11-02 12:21:58 +01:00 |
Juan Lang
|
fc14728efc
|
crypt32: Fix a leak during chain creation.
|
2007-11-02 12:21:47 +01:00 |
Juan Lang
|
912c3e609b
|
crypt32: Implement cert chain revocation checking.
|
2007-10-24 12:33:39 +02:00 |
Juan Lang
|
9ae5ef6641
|
crypt32: Set lower quality chain count and pointer to 0 when freeing them.
|
2007-10-19 14:21:46 +02:00 |
Juan Lang
|
5d6feab0e2
|
crypt32: Don't keep a pointer to the lower quality chains when choosing a higher quality one, otherwise they'll get double-freed.
|
2007-10-19 14:21:42 +02:00 |
Juan Lang
|
7a0905128d
|
crypt32: Always set pPolicyStatus->dwError.
|
2007-10-17 13:40:41 +02:00 |
Juan Lang
|
136f033158
|
crypt32: Implement CertVerifyCertificateChain for the Microsoft root policy.
|
2007-10-16 09:35:53 +02:00 |
Juan Lang
|
9908fe9ac6
|
crypt32: Implement name constraint checking.
|
2007-10-11 22:23:58 +02:00 |
Juan Lang
|
a5833ac9f4
|
crypt32: Set subject's info status from method used to find issuer.
|
2007-09-12 11:33:11 +02:00 |
Juan Lang
|
54428bfb99
|
crypt32: Pass subject's info status when adding an issuer to a chain.
|
2007-09-12 11:33:11 +02:00 |
Juan Lang
|
5c8254886f
|
crypt32: Only decode authority key ID in subject cert once when looking for issuer.
|
2007-09-12 11:33:11 +02:00 |
Juan Lang
|
05492ae907
|
crypt32: (Re)introduce helper function to get issuer certificate.
|
2007-09-12 11:33:11 +02:00 |
Francois Gouget
|
b7bf91f5e8
|
crypt32: Fix the I_Crypt*Asn1*() prototypes. Add the i_cryptasn1tls.h header and use it.
|
2007-09-12 11:33:10 +02:00 |
Juan Lang
|
039beff441
|
crypt32: Implement CertVerifyCertificateChainPolicy for the basic constraints policy.
|
2007-09-11 12:36:41 +02:00 |
Juan Lang
|
5f06293eb1
|
crypt32: Implement CertVerifyCertificateChainPolicy for the authenticode policy.
|
2007-09-11 12:36:34 +02:00 |
Juan Lang
|
b56f0c5b68
|
crypt32: Implement CertVerifyCertificateChainPolicy for the base policy.
|
2007-09-11 12:36:27 +02:00 |
Juan Lang
|
91c76955e7
|
crypt32: Add a stub for CertVerifyCertificateChainPolicy.
|
2007-09-11 12:36:10 +02:00 |
Juan Lang
|
391f826d49
|
crypt32: Add a function to create a certificate chain engine potentially before the root store is created.
|
2007-09-11 11:50:23 +02:00 |
Juan Lang
|
5e674f3580
|
crypt32: Consider alternate issuers when building chains.
|
2007-09-10 15:50:01 +02:00 |
Juan Lang
|
1fc8c60788
|
crypt32: Flags weren't set, so don't bother passing them.
|
2007-09-10 15:49:55 +02:00 |