crypt32: Improve error checking for the base policy.

2024-11-05 18:01:34 +00:00 · 2010-10-04 18:16:16 -07:00 · 2010-10-04 18:16:16 -07:00 · 966d722752
commit 966d722752
parent c4c70b608c
2 changed files with 36 additions and 19 deletions
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@ -2904,7 +2904,12 @@ static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
 PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
 PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
 {
+    DWORD checks = 0;
+
+    if (pPolicyPara)
+        checks = pPolicyPara->dwFlags;
    pPolicyStatus->lChainIndex = pPolicyStatus->lElementIndex = -1;
+    pPolicyStatus->dwError = NO_ERROR;
    if (pChainContext->TrustStatus.dwErrorStatus &
     CERT_TRUST_IS_NOT_SIGNATURE_VALID)
    {
@ -2913,14 +2918,6 @@ static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
         CERT_TRUST_IS_NOT_SIGNATURE_VALID, &pPolicyStatus->lChainIndex,
         &pPolicyStatus->lElementIndex);
    }
-    else if (pChainContext->TrustStatus.dwErrorStatus &
-     CERT_TRUST_IS_UNTRUSTED_ROOT)
-    {
-        pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
-        find_element_with_error(pChainContext,
-         CERT_TRUST_IS_UNTRUSTED_ROOT, &pPolicyStatus->lChainIndex,
-         &pPolicyStatus->lElementIndex);
-    }
    else if (pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_CYCLIC)
    {
        pPolicyStatus->dwError = CERT_E_CHAINING;
@ -2929,8 +2926,33 @@ static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
        /* For a cyclic chain, which element is a cycle isn't meaningful */
        pPolicyStatus->lElementIndex = -1;
    }
-    else
-        pPolicyStatus->dwError = NO_ERROR;
+    if (!pPolicyStatus->dwError &&
+     pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_UNTRUSTED_ROOT &&
+     !(checks & CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG))
+    {
+        pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
+        find_element_with_error(pChainContext,
+         CERT_TRUST_IS_UNTRUSTED_ROOT, &pPolicyStatus->lChainIndex,
+         &pPolicyStatus->lElementIndex);
+    }
+    if (!pPolicyStatus->dwError &&
+     pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_NOT_TIME_VALID)
+    {
+        pPolicyStatus->dwError = CERT_E_EXPIRED;
+        find_element_with_error(pChainContext,
+         CERT_TRUST_IS_NOT_TIME_VALID, &pPolicyStatus->lChainIndex,
+         &pPolicyStatus->lElementIndex);
+    }
+    if (!pPolicyStatus->dwError &&
+     pChainContext->TrustStatus.dwErrorStatus &
+     CERT_TRUST_IS_NOT_VALID_FOR_USAGE &&
+     !(checks & CERT_CHAIN_POLICY_IGNORE_WRONG_USAGE_FLAG))
+    {
+        pPolicyStatus->dwError = CERT_E_WRONG_USAGE;
+        find_element_with_error(pChainContext,
+         CERT_TRUST_IS_NOT_VALID_FOR_USAGE, &pPolicyStatus->lChainIndex,
+         &pPolicyStatus->lElementIndex);
+    }
    return TRUE;
 }

--- a/dlls/crypt32/tests/chain.c
+++ b/dlls/crypt32/tests/chain.c
@ -3745,11 +3745,6 @@ static const ChainPolicyCheck basePolicyCheck[] = {
   { 0, CERT_E_UNTRUSTEDROOT, 0, 0, NULL }, NULL, 0 },
 };

-static const ChainPolicyCheck ignoredUnknownCABasePolicyCheck = {
- { sizeof(chain0) / sizeof(chain0[0]), chain0 },
- { 0, CERT_E_EXPIRED, 0, 0, NULL }, NULL, TODO_ERROR
-};
-
 /* Windows NT 4 has a different error code when the validity period doesn't
 * nest.  (It's arguably more correct than other Windows versions, but since
 * others do not emulate its behavior, we mark its behavior broken.)
@ -3759,12 +3754,12 @@ static const CERT_CHAIN_POLICY_STATUS badDateNestingStatus =

 static const ChainPolicyCheck ignoredBadDateNestingBasePolicyCheck = {
 { sizeof(chain2) / sizeof(chain2[0]), chain2 },
- { 0, CERT_E_EXPIRED, 0, 1, NULL}, &badDateNestingStatus, TODO_ERROR
+ { 0, CERT_E_EXPIRED, 0, 1, NULL}, &badDateNestingStatus, TODO_ELEMENTS
 };

 static const ChainPolicyCheck ignoredInvalidDateBasePolicyCheck = {
 { sizeof(googleChain) / sizeof(googleChain[0]), googleChain },
- { 0, CERT_E_EXPIRED, 0, 1, NULL}, NULL, TODO_ERROR
+ { 0, CERT_E_EXPIRED, 0, 1, NULL}, NULL, TODO_ELEMENTS
 };

 static const ChainPolicyCheck ignoredInvalidUsageBasePolicyCheck = {
@ -3774,7 +3769,7 @@ static const ChainPolicyCheck ignoredInvalidUsageBasePolicyCheck = {

 static const ChainPolicyCheck invalidUsageBasePolicyCheck = {
 { sizeof(chain15) / sizeof(chain15[0]), chain15 },
- { 0, CERT_E_WRONG_USAGE, 0, 1, NULL}, NULL, TODO_ERROR
+ { 0, CERT_E_WRONG_USAGE, 0, 1, NULL}, NULL, 0
 };

 static const ChainPolicyCheck sslPolicyCheck[] = {
@ -4083,7 +4078,7 @@ static void check_base_policy(void)
    policyPara.cbSize = sizeof(policyPara);
    policyPara.dwFlags = CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG;
    checkChainPolicyStatus(CERT_CHAIN_POLICY_BASE, NULL,
-     &ignoredUnknownCABasePolicyCheck, 0, &oct2007, &policyPara);
+     &ignoredUnknownCAPolicyCheck, 0, &oct2007, &policyPara);
    policyPara.dwFlags = CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG |
     CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG;
    checkChainPolicyStatus(CERT_CHAIN_POLICY_BASE, NULL,