From 87405ade02bfe5c815ae32d16453436d4e0c6e76 Mon Sep 17 00:00:00 2001 From: Juan Lang Date: Mon, 19 Oct 2009 09:04:51 -0700 Subject: [PATCH] crypt32: Add a safe default for unsupported critical extensions. --- dlls/crypt32/chain.c | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c index fa9fdf0f34a..c9f761885fb 100644 --- a/dlls/crypt32/chain.c +++ b/dlls/crypt32/chain.c @@ -814,6 +814,44 @@ static void dump_element(PCCERT_CONTEXT cert) dump_extension(&cert->pCertInfo->rgExtension[i]); } +static BOOL CRYPT_CriticalExtensionsSupported(PCCERT_CONTEXT cert) +{ + BOOL ret = TRUE; + DWORD i; + + for (i = 0; ret && i < cert->pCertInfo->cExtension; i++) + { + if (cert->pCertInfo->rgExtension[i].fCritical) + { + LPCSTR oid = cert->pCertInfo->rgExtension[i].pszObjId; + + if (!strcmp(oid, szOID_BASIC_CONSTRAINTS)) + ret = TRUE; + else if (!strcmp(oid, szOID_BASIC_CONSTRAINTS2)) + ret = TRUE; + else if (!strcmp(oid, szOID_NAME_CONSTRAINTS)) + ret = TRUE; + else if (!strcmp(oid, szOID_KEY_USAGE)) + { + static int warned; + + if (!warned++) + FIXME("key usage extension unsupported, ignoring\n"); + ret = TRUE; + } + else if (!strcmp(oid, szOID_SUBJECT_ALT_NAME)) + ret = TRUE; + else + { + FIXME("unsupported critical extension %s\n", + debugstr_a(oid)); + ret = FALSE; + } + } + } + return ret; +} + static void CRYPT_CheckSimpleChain(PCertificateChainEngine engine, PCERT_SIMPLE_CHAIN chain, LPFILETIME time) { @@ -878,6 +916,11 @@ static void CRYPT_CheckSimpleChain(PCertificateChainEngine engine, CERT_TRUST_INVALID_BASIC_CONSTRAINTS; } /* FIXME: check valid usages */ + /* Check whether every critical extension is supported */ + if (!CRYPT_CriticalExtensionsSupported( + chain->rgpElement[i]->pCertContext)) + chain->rgpElement[i]->TrustStatus.dwErrorStatus |= + CERT_TRUST_INVALID_EXTENSION; CRYPT_CombineTrustStatus(&chain->TrustStatus, &chain->rgpElement[i]->TrustStatus); } -- 2.11.4.GIT