Juan Lang : crypt32: Improve error checking for the base policy. - wine-commits

6 Oct 2010

Module: wine
Branch: master
Commit: 966d722752b659a12ffa355a1e559f94907cd66d
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=966d722752b659a12ffa355a1e...
Author: Juan Lang juan.lang@gmail.com
Date:   Mon Oct  4 18:16:16 2010 -0700
crypt32: Improve error checking for the base policy.
---
dlls/crypt32/chain.c       |   42 ++++++++++++++++++++++++++++++++----------
 dlls/crypt32/tests/chain.c |   13 ++++---------
 2 files changed, 36 insertions(+), 19 deletions(-)

diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 4b6fdba..266e6ab 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -2904,7 +2904,12 @@ static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
  PCCERT_CHAIN_CONTEXT pChainContext, PCERT_CHAIN_POLICY_PARA pPolicyPara,
  PCERT_CHAIN_POLICY_STATUS pPolicyStatus)
 {
+    DWORD checks = 0;
+
+    if (pPolicyPara)
+        checks = pPolicyPara->dwFlags;
     pPolicyStatus->lChainIndex = pPolicyStatus->lElementIndex = -1;
+    pPolicyStatus->dwError = NO_ERROR;
     if (pChainContext->TrustStatus.dwErrorStatus &
      CERT_TRUST_IS_NOT_SIGNATURE_VALID)
     {
@@ -2913,14 +2918,6 @@ static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
          CERT_TRUST_IS_NOT_SIGNATURE_VALID, &pPolicyStatus->lChainIndex,
          &pPolicyStatus->lElementIndex);
     }
-    else if (pChainContext->TrustStatus.dwErrorStatus &
-     CERT_TRUST_IS_UNTRUSTED_ROOT)
-    {
-        pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
-        find_element_with_error(pChainContext,
-         CERT_TRUST_IS_UNTRUSTED_ROOT, &pPolicyStatus->lChainIndex,
-         &pPolicyStatus->lElementIndex);
-    }
     else if (pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_CYCLIC)
     {
         pPolicyStatus->dwError = CERT_E_CHAINING;
@@ -2929,8 +2926,33 @@ static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
         /* For a cyclic chain, which element is a cycle isn't meaningful */
         pPolicyStatus->lElementIndex = -1;
     }
-    else
-        pPolicyStatus->dwError = NO_ERROR;
+    if (!pPolicyStatus->dwError &&
+     pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_UNTRUSTED_ROOT &&
+     !(checks & CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG))
+    {
+        pPolicyStatus->dwError = CERT_E_UNTRUSTEDROOT;
+        find_element_with_error(pChainContext,
+         CERT_TRUST_IS_UNTRUSTED_ROOT, &pPolicyStatus->lChainIndex,
+         &pPolicyStatus->lElementIndex);
+    }
+    if (!pPolicyStatus->dwError &&
+     pChainContext->TrustStatus.dwErrorStatus & CERT_TRUST_IS_NOT_TIME_VALID)
+    {
+        pPolicyStatus->dwError = CERT_E_EXPIRED;
+        find_element_with_error(pChainContext,
+         CERT_TRUST_IS_NOT_TIME_VALID, &pPolicyStatus->lChainIndex,
+         &pPolicyStatus->lElementIndex);
+    }
+    if (!pPolicyStatus->dwError &&
+     pChainContext->TrustStatus.dwErrorStatus &
+     CERT_TRUST_IS_NOT_VALID_FOR_USAGE &&
+     !(checks & CERT_CHAIN_POLICY_IGNORE_WRONG_USAGE_FLAG))
+    {
+        pPolicyStatus->dwError = CERT_E_WRONG_USAGE;
+        find_element_with_error(pChainContext,
+         CERT_TRUST_IS_NOT_VALID_FOR_USAGE, &pPolicyStatus->lChainIndex,
+         &pPolicyStatus->lElementIndex);
+    }
     return TRUE;
 }
diff --git a/dlls/crypt32/tests/chain.c b/dlls/crypt32/tests/chain.c
index 5ee5050..9fe24b6 100644
--- a/dlls/crypt32/tests/chain.c
+++ b/dlls/crypt32/tests/chain.c
@@ -3745,11 +3745,6 @@ static const ChainPolicyCheck basePolicyCheck[] = {
    { 0, CERT_E_UNTRUSTEDROOT, 0, 0, NULL }, NULL, 0 },
 };
-static const ChainPolicyCheck ignoredUnknownCABasePolicyCheck = {
- { sizeof(chain0) / sizeof(chain0[0]), chain0 },
- { 0, CERT_E_EXPIRED, 0, 0, NULL }, NULL, TODO_ERROR
-};
-
 /* Windows NT 4 has a different error code when the validity period doesn't
  * nest.  (It's arguably more correct than other Windows versions, but since
  * others do not emulate its behavior, we mark its behavior broken.)
@@ -3759,12 +3754,12 @@ static const CERT_CHAIN_POLICY_STATUS badDateNestingStatus =
static const ChainPolicyCheck ignoredBadDateNestingBasePolicyCheck = {
  { sizeof(chain2) / sizeof(chain2[0]), chain2 },
- { 0, CERT_E_EXPIRED, 0, 1, NULL}, &badDateNestingStatus, TODO_ERROR
+ { 0, CERT_E_EXPIRED, 0, 1, NULL}, &badDateNestingStatus, TODO_ELEMENTS
 };
static const ChainPolicyCheck ignoredInvalidDateBasePolicyCheck = {
  { sizeof(googleChain) / sizeof(googleChain[0]), googleChain },
- { 0, CERT_E_EXPIRED, 0, 1, NULL}, NULL, TODO_ERROR
+ { 0, CERT_E_EXPIRED, 0, 1, NULL}, NULL, TODO_ELEMENTS
 };
static const ChainPolicyCheck ignoredInvalidUsageBasePolicyCheck = {
@@ -3774,7 +3769,7 @@ static const ChainPolicyCheck ignoredInvalidUsageBasePolicyCheck = {
static const ChainPolicyCheck invalidUsageBasePolicyCheck = {
  { sizeof(chain15) / sizeof(chain15[0]), chain15 },
- { 0, CERT_E_WRONG_USAGE, 0, 1, NULL}, NULL, TODO_ERROR
+ { 0, CERT_E_WRONG_USAGE, 0, 1, NULL}, NULL, 0
 };
static const ChainPolicyCheck sslPolicyCheck[] = {
@@ -4083,7 +4078,7 @@ static void check_base_policy(void)
     policyPara.cbSize = sizeof(policyPara);
     policyPara.dwFlags = CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG;
     checkChainPolicyStatus(CERT_CHAIN_POLICY_BASE, NULL,
-     &ignoredUnknownCABasePolicyCheck, 0, &oct2007, &policyPara);
+     &ignoredUnknownCAPolicyCheck, 0, &oct2007, &policyPara);
     policyPara.dwFlags = CERT_CHAIN_POLICY_ALLOW_UNKNOWN_CA_FLAG |
      CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG;
     checkChainPolicyStatus(CERT_CHAIN_POLICY_BASE, NULL,

    