Hi, I just noticed commit efa555596b30134261920ea12d8c324f9bef34b4. This change is misleading:
- "Chain %d, element [%d,%d]: expected error %08x, got %08x\n", + "Chain %d, element [%d,%d]: expected error %08x, got %08x. %08x is " + "expected if no valid Verisign root certificate is available.\n", testIndex, chainIndex, elementIndex, expected->dwErrorStatus, - got->dwErrorStatus); + got->dwErrorStatus, CERT_TRUST_IS_UNTRUSTED_ROOT);
The only difference is to add CERT_TRUST_IS_UNTRUSTED_ROOT if any chain doesn't match, whatever the reason. On the other hand, only one chain out of 14 or so that are tested would ever unexpectedly have CERT_TRUST_IS_UNTRUSTED_ROOT set. The remainder of the chains are not rooted in any trusted CA, but are rooted in some untrusted cert. So I don't think this change is really all that beneficial.
Personally, I'd rather have the change reverted. Comments? --Juan