diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c index cf244f2ac6c..4a60e9a60ff 100644 --- a/dlls/crypt32/chain.c +++ b/dlls/crypt32/chain.c @@ -3696,6 +3696,44 @@ static BYTE msPubKey4[] = { 0xa6,0xc6,0x48,0x4c,0xc3,0x37,0x51,0x23,0xd3,0x27,0xd7,0xb8,0x4e,0x70,0x96, 0xf0,0xa1,0x44,0x76,0xaf,0x78,0xcf,0x9a,0xe1,0x66,0x13,0x02,0x03,0x01,0x00, 0x01 }; +/* from Microsoft Root Certificate Authority 2011 */ +static BYTE msPubKey5[] = { +0x30,0x82,0x02,0x0a,0x02,0x82,0x02,0x01,0x00,0xb2,0x80,0x41,0xaa,0x35,0x38, +0x4d,0x13,0x72,0x32,0x68,0x22,0x4d,0xb8,0xb2,0xf1,0xff,0xd5,0x52,0xbc,0x6c, +0xc7,0xf5,0xd2,0x4a,0x8c,0x36,0xee,0xd1,0xc2,0x5c,0x7e,0x8c,0x8a,0xae,0xaf, +0x13,0x28,0x6f,0xc0,0x73,0xe3,0x3a,0xce,0xd0,0x25,0xa8,0x5a,0x3a,0x6d,0xef, +0xa8,0xb8,0x59,0xab,0x13,0x23,0x68,0xcd,0x0c,0x29,0x87,0xd1,0x6f,0x80,0x5c, +0x8f,0x44,0x7f,0x5d,0x90,0x01,0x52,0x58,0xac,0x51,0xc5,0x5f,0x2a,0x87,0xdc, +0xdc,0xd8,0x0a,0x1d,0xc1,0x03,0xb9,0x7b,0xb0,0x56,0xe8,0xa3,0xde,0x64,0x61, +0xc2,0x9e,0xf8,0xf3,0x7c,0xb9,0xec,0x0d,0xb5,0x54,0xfe,0x4c,0xb6,0x65,0x4f, +0x88,0xf0,0x9c,0x48,0x99,0x0c,0x42,0x0b,0x09,0x7c,0x31,0x59,0x17,0x79,0x06, +0x78,0x28,0x8d,0x89,0x3a,0x4c,0x03,0x25,0xbe,0x71,0x6a,0x5c,0x0b,0xe7,0x84, +0x60,0xa4,0x99,0x22,0xe3,0xd2,0xaf,0x84,0xa4,0xa7,0xfb,0xd1,0x98,0xed,0x0c, +0xa9,0xde,0x94,0x89,0xe1,0x0e,0xa0,0xdc,0xc0,0xce,0x99,0x3d,0xea,0x08,0x52, +0xbb,0x56,0x79,0xe4,0x1f,0x84,0xba,0x1e,0xb8,0xb4,0xc4,0x49,0x5c,0x4f,0x31, +0x4b,0x87,0xdd,0xdd,0x05,0x67,0x26,0x99,0x80,0xe0,0x71,0x11,0xa3,0xb8,0xa5, +0x41,0xe2,0xa4,0x53,0xb9,0xf7,0x32,0x29,0x83,0x0c,0x13,0xbf,0x36,0x5e,0x04, +0xb3,0x4b,0x43,0x47,0x2f,0x6b,0xe2,0x91,0x1e,0xd3,0x98,0x4f,0xdd,0x42,0x07, +0xc8,0xe8,0x1d,0x12,0xfc,0x99,0xa9,0x6b,0x3e,0x92,0x7e,0xc8,0xd6,0x69,0x3a, +0xfc,0x64,0xbd,0xb6,0x09,0x9d,0xca,0xfd,0x0c,0x0b,0xa2,0x9b,0x77,0x60,0x4b, +0x03,0x94,0xa4,0x30,0x69,0x12,0xd6,0x42,0x2d,0xc1,0x41,0x4c,0xca,0xdc,0xaa, +0xfd,0x8f,0x5b,0x83,0x46,0x9a,0xd9,0xfc,0xb1,0xd1,0xe3,0xb3,0xc9,0x7f,0x48, +0x7a,0xcd,0x24,0xf0,0x41,0x8f,0x5c,0x74,0xd0,0xac,0xb0,0x10,0x20,0x06,0x49, +0xb7,0xc7,0x2d,0x21,0xc8,0x57,0xe3,0xd0,0x86,0xf3,0x03,0x68,0xfb,0xd0,0xce, +0x71,0xc1,0x89,0x99,0x4a,0x64,0x01,0x6c,0xfd,0xec,0x30,0x91,0xcf,0x41,0x3c, +0x92,0xc7,0xe5,0xba,0x86,0x1d,0x61,0x84,0xc7,0x5f,0x83,0x39,0x62,0xae,0xb4, +0x92,0x2f,0x47,0xf3,0x0b,0xf8,0x55,0xeb,0xa0,0x1f,0x59,0xd0,0xbb,0x74,0x9b, +0x1e,0xd0,0x76,0xe6,0xf2,0xe9,0x06,0xd7,0x10,0xe8,0xfa,0x64,0xde,0x69,0xc6, +0x35,0x96,0x88,0x02,0xf0,0x46,0xb8,0x3f,0x27,0x99,0x6f,0xcb,0x71,0x89,0x29, +0x35,0xf7,0x48,0x16,0x02,0x35,0x8f,0xd5,0x79,0x7c,0x4d,0x02,0xcf,0x5f,0xeb, +0x8a,0x83,0x4f,0x45,0x71,0x88,0xf9,0xa9,0x0d,0x4e,0x72,0xe9,0xc2,0x9c,0x07, +0xcf,0x49,0x1b,0x4e,0x04,0x0e,0x63,0x51,0x8c,0x5e,0xd8,0x00,0xc1,0x55,0x2c, +0xb6,0xc6,0xe0,0xc2,0x65,0x4e,0xc9,0x34,0x39,0xf5,0x9c,0xb3,0xc4,0x7e,0xe8, +0x61,0x6e,0x13,0x5f,0x15,0xc4,0x5f,0xd9,0x7e,0xed,0x1d,0xce,0xee,0x44,0xec, +0xcb,0x2e,0x86,0xb1,0xec,0x38,0xf6,0x70,0xed,0xab,0x5c,0x13,0xc1,0xd9,0x0f, +0x0d,0xc7,0x80,0xb2,0x55,0xed,0x34,0xf7,0xac,0x9b,0xe4,0xc3,0xda,0xe7,0x47, +0x3c,0xa6,0xb5,0x8f,0x31,0xdf,0xc5,0x4b,0xaf,0xeb,0xf1,0x02,0x03,0x01,0x00, +0x01 }; static BOOL WINAPI verify_ms_root_policy(LPCSTR szPolicyOID, PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara, @@ -3705,21 +3743,38 @@ static BOOL WINAPI verify_ms_root_policy(LPCSTR szPolicyOID, CERT_PUBLIC_KEY_INFO msPubKey = { { 0 } }; DWORD i; - CRYPT_DATA_BLOB keyBlobs[] = { + static const CRYPT_DATA_BLOB keyBlobs[] = { { sizeof(msPubKey1), msPubKey1 }, { sizeof(msPubKey2), msPubKey2 }, { sizeof(msPubKey3), msPubKey3 }, { sizeof(msPubKey4), msPubKey4 }, }; + static const CRYPT_DATA_BLOB keyBlobs_approot[] = { + { sizeof(msPubKey5), msPubKey5 }, + }; PCERT_SIMPLE_CHAIN rootChain = pChainContext->rgpChain[pChainContext->cChain - 1]; PCCERT_CONTEXT root = rootChain->rgpElement[rootChain->cElement - 1]->pCertContext; - for (i = 0; !isMSRoot && i < ARRAY_SIZE(keyBlobs); i++) + const CRYPT_DATA_BLOB *keys; + unsigned int key_count; + + if (pPolicyPara && pPolicyPara->dwFlags & MICROSOFT_ROOT_CERT_CHAIN_POLICY_CHECK_APPLICATION_ROOT_FLAG) { - msPubKey.PublicKey.cbData = keyBlobs[i].cbData; - msPubKey.PublicKey.pbData = keyBlobs[i].pbData; + keys = keyBlobs_approot; + key_count = ARRAY_SIZE(keyBlobs_approot); + } + else + { + keys = keyBlobs; + key_count = ARRAY_SIZE(keyBlobs); + } + + for (i = 0; !isMSRoot && i < key_count; i++) + { + msPubKey.PublicKey.cbData = keys[i].cbData; + msPubKey.PublicKey.pbData = keys[i].pbData; if (CertComparePublicKeyInfo(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &root->pCertInfo->SubjectPublicKeyInfo, &msPubKey)) isMSRoot = TRUE; } diff --git a/dlls/crypt32/tests/chain.c b/dlls/crypt32/tests/chain.c index 9ed1b28bf70..32f00801799 100644 --- a/dlls/crypt32/tests/chain.c +++ b/dlls/crypt32/tests/chain.c @@ -4958,6 +4958,13 @@ static const ChainPolicyCheck msRootPolicyCheck[] = { { 0, CERT_E_UNTRUSTEDROOT, 0, 0, NULL }, NULL, 0 }, }; +static const ChainPolicyCheck msRootPolicyCheck_approot[] = { + { { ARRAY_SIZE(chain32), chain32 }, + { 0, CERT_E_UNTRUSTEDROOT, 0, 2, NULL }, NULL, TODO_ELEMENTS }, + { { ARRAY_SIZE(chain33), chain33 }, + { 0, 0, 0, 0, NULL }, NULL, 0 }, +}; + static const char *num_to_str(WORD num) { static char buf[6]; @@ -5295,8 +5302,16 @@ static void check_ssl_policy(void) static void check_msroot_policy(void) { + CERT_CHAIN_POLICY_PARA para; + CHECK_CHAIN_POLICY_STATUS_ARRAY(CERT_CHAIN_POLICY_MICROSOFT_ROOT, NULL, msRootPolicyCheck, &may2020, NULL); + + para.cbSize = sizeof(para); + para.pvExtraPolicyPara = NULL; + para.dwFlags = MICROSOFT_ROOT_CERT_CHAIN_POLICY_CHECK_APPLICATION_ROOT_FLAG; + CHECK_CHAIN_POLICY_STATUS_ARRAY(CERT_CHAIN_POLICY_MICROSOFT_ROOT, NULL, + msRootPolicyCheck_approot, &may2020, ¶); } static void testVerifyCertChainPolicy(void) diff --git a/include/wincrypt.h b/include/wincrypt.h index 59a8d6650bb..04b57e70dbd 100644 --- a/include/wincrypt.h +++ b/include/wincrypt.h @@ -1086,6 +1086,7 @@ typedef struct _CERT_CHAIN_POLICY_STATUS { #define CERT_CHAIN_POLICY_TRUST_TESTROOT_FLAG 0x00004000 #define CERT_CHAIN_POLICY_ALLOW_TESTROOT_FLAG 0x00008000 #define MICROSOFT_ROOT_CERT_CHAIN_POLICY_ENABLE_TEST_ROOT_FLAG 0x00010000 +#define MICROSOFT_ROOT_CERT_CHAIN_POLICY_CHECK_APPLICATION_ROOT_FLAG 0x00020000 typedef struct _AUTHENTICODE_EXTRA_CERT_CHAIN_POLICY_PARA { DWORD cbSize;