From 16036dd27a746b1b42d1a905107c140ed4d8e242 Mon Sep 17 00:00:00 2001 From: Juan Lang Date: Fri, 30 Oct 2009 14:09:57 -0700 Subject: [PATCH] crypt32: Allow errors in locally installed root certs. --- dlls/crypt32/rootstore.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/dlls/crypt32/rootstore.c b/dlls/crypt32/rootstore.c index bd6dfac450..a4a75ab465 100644 --- a/dlls/crypt32/rootstore.c +++ b/dlls/crypt32/rootstore.c @@ -261,9 +261,23 @@ static void check_and_store_certs(HCERTSTORE from, HCERTSTORE to) "chain creation failed"); else { - /* The only allowed error is CERT_TRUST_IS_UNTRUSTED_ROOT */ - if (chain->TrustStatus.dwErrorStatus & - ~CERT_TRUST_IS_UNTRUSTED_ROOT) + DWORD allowedErrors = CERT_TRUST_IS_UNTRUSTED_ROOT | + CERT_TRUST_IS_NOT_VALID_FOR_USAGE | + CERT_TRUST_INVALID_BASIC_CONSTRAINTS | + CERT_TRUST_IS_NOT_TIME_VALID; + + /* The certificate chain verification only allows certain + * invalid CA certs if they're installed locally: CA + * certs missing the key usage extension, and CA certs + * missing the basic constraints extension. Of course + * there's a chicken and egg problem: we have to accept + * them here in order for them to be accepted later. + * Expired, locally installed certs are also allowed here, + * because we don't know (yet) what date will be checked + * for an item signed by one of these certs. + * Thus, accept certs with any of the allowed errors. + */ + if (chain->TrustStatus.dwErrorStatus & ~allowedErrors) TRACE("rejecting %s: %s\n", get_cert_common_name(cert), trust_status_to_str(chain->TrustStatus.dwErrorStatus & ~CERT_TRUST_IS_UNTRUSTED_ROOT));