Juan Lang : crypt32: Defer checking signatures until chain is complete. - wine-commits

10 Sep 2007

Module: wine
Branch: master
Commit: a040dd22e75f8ca86961a0a0afbc0caa97c9f109
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=a040dd22e75f8ca86961a0a0af...
Author: Juan Lang juan.lang@gmail.com
Date:   Thu Sep  6 10:02:11 2007 -0700
crypt32: Defer checking signatures until chain is complete.
---
dlls/crypt32/chain.c |   23 +++++++++++------------
 1 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 4cf74a6..98b69b9 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -252,16 +252,6 @@ static inline BOOL CRYPT_IsSimpleChainCyclic(PCERT_SIMPLE_CHAIN chain)
         return FALSE;
 }
-/* Gets cert's issuer from store, and returns the validity flags associated
- * with it.  Returns NULL if no issuer signature could be found.
- */
-static PCCERT_CONTEXT CRYPT_GetIssuerFromStore(HCERTSTORE store,
- PCCERT_CONTEXT cert, PDWORD pdwFlags)
-{
-    *pdwFlags = CERT_STORE_SIGNATURE_FLAG;
-    return CertGetIssuerCertificateFromStore(store, cert, NULL, pdwFlags);
-}
-
 static inline void CRYPT_CombineTrustStatus(CERT_TRUST_STATUS *chainStatus,
  CERT_TRUST_STATUS *elementStatus)
 {
@@ -482,6 +472,14 @@ static void CRYPT_CheckSimpleChain(PCertificateChainEngine engine,
              CERT_TRUST_IS_NOT_TIME_VALID;
         if (i != 0)
         {
+            /* Check the signature of the cert this issued */
+            if (!CryptVerifyCertificateSignatureEx(0, X509_ASN_ENCODING,
+             CRYPT_VERIFY_CERT_SIGN_SUBJECT_CERT,
+             (void *)chain->rgpElement[i - 1]->pCertContext,
+             CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT,
+             (void *)chain->rgpElement[i]->pCertContext, 0, NULL))
+                chain->rgpElement[i - 1]->TrustStatus.dwErrorStatus |=
+                 CERT_TRUST_IS_NOT_SIGNATURE_VALID;
             /* Once a path length constraint has been violated, every remaining
              * CA cert's basic constraints is considered invalid.
              */
@@ -525,8 +523,9 @@ static BOOL CRYPT_BuildSimpleChain(PCertificateChainEngine engine,
     while (ret && !CRYPT_IsSimpleChainCyclic(chain) &&
      !CRYPT_IsCertificateSelfSigned(cert))
     {
-        DWORD flags;
-        PCCERT_CONTEXT issuer = CRYPT_GetIssuerFromStore(world, cert, &flags);
+        DWORD flags = 0;
+        PCCERT_CONTEXT issuer =
+         CertGetIssuerCertificateFromStore(world, cert, NULL, &flags);
if (issuer)
         {

    