Module: wine Branch: master Commit: 16036dd27a746b1b42d1a905107c140ed4d8e242 URL: http://source.winehq.org/git/wine.git/?a=commit;h=16036dd27a746b1b42d1a90510...

Author: Juan Lang juan.lang@gmail.com Date: Fri Oct 30 14:09:57 2009 -0700

crypt32: Allow errors in locally installed root certs.

---

dlls/crypt32/rootstore.c | 20 +++++++++++++++++--- 1 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/dlls/crypt32/rootstore.c b/dlls/crypt32/rootstore.c index bd6dfac..a4a75ab 100644 --- a/dlls/crypt32/rootstore.c +++ b/dlls/crypt32/rootstore.c @@ -261,9 +261,23 @@ static void check_and_store_certs(HCERTSTORE from, HCERTSTORE to) "chain creation failed"); else { - /* The only allowed error is CERT_TRUST_IS_UNTRUSTED_ROOT */ - if (chain->TrustStatus.dwErrorStatus & - ~CERT_TRUST_IS_UNTRUSTED_ROOT) + DWORD allowedErrors = CERT_TRUST_IS_UNTRUSTED_ROOT | + CERT_TRUST_IS_NOT_VALID_FOR_USAGE | + CERT_TRUST_INVALID_BASIC_CONSTRAINTS | + CERT_TRUST_IS_NOT_TIME_VALID; + + /* The certificate chain verification only allows certain + * invalid CA certs if they're installed locally: CA + * certs missing the key usage extension, and CA certs + * missing the basic constraints extension. Of course + * there's a chicken and egg problem: we have to accept + * them here in order for them to be accepted later. + * Expired, locally installed certs are also allowed here, + * because we don't know (yet) what date will be checked + * for an item signed by one of these certs. + * Thus, accept certs with any of the allowed errors. + */ + if (chain->TrustStatus.dwErrorStatus & ~allowedErrors) TRACE("rejecting %s: %s\n", get_cert_common_name(cert), trust_status_to_str(chain->TrustStatus.dwErrorStatus & ~CERT_TRUST_IS_UNTRUSTED_ROOT));