Module: wine Branch: master Commit: 7871a9f85880e3bbe74d6b9ed614719210e0bfba URL: http://source.winehq.org/git/wine.git/?a=commit;h=7871a9f85880e3bbe74d6b9ed6...

Author: Juan Lang juan.lang@gmail.com Date: Mon Apr 4 09:03:28 2011 -0700

crypt32: Accept CA certificates without a key usage extension.

---

dlls/crypt32/chain.c | 26 +++++--------------------- 1 files changed, 5 insertions(+), 21 deletions(-)

diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c index ca76cef..8af49f4 100644 --- a/dlls/crypt32/chain.c +++ b/dlls/crypt32/chain.c @@ -1760,28 +1760,12 @@ static BOOL CRYPT_KeyUsageValid(PCertificateChainEngine engine, * extensions as CA certs. V1 and V2 certificates did not have * extensions, and many root certificates are V1 certificates, so * perhaps this is prudent. On the other hand, MS also accepts V3 - * certs without key usage extensions. We are more restrictive: - * we accept locally installed V1 or V2 certs as CA certs. - * We also accept a lack of key usage extension on root certs, - * which is implied in RFC 5280, section 6.1: the trust anchor's - * only requirement is that it was used to issue the next - * certificate in the chain. + * certs without key usage extensions. Because some CAs, e.g. + * Certum, also do not include key usage extensions in their + * intermediate certificates, we are forced to accept V3 + * certificates without key usage extensions as well. */ - if (isRoot) - ret = TRUE; - else if (cert->pCertInfo->dwVersion == CERT_V1 || - cert->pCertInfo->dwVersion == CERT_V2) - { - PCCERT_CONTEXT localCert = CRYPT_FindCertInStore( - engine->hWorld, cert); - - ret = localCert != NULL; - CertFreeCertificateContext(localCert); - } - else - ret = FALSE; - if (!ret) - WARN_(chain)("no key usage extension on a CA cert\n"); + ret = TRUE; } else {