crypt32: Set correct error when encountering unsupported critical extensions in the base and SSL policy.

dlls/crypt32/chain.c

@@ -2954,6 +2954,16 @@ static BOOL WINAPI verify_base_policy(LPCSTR szPolicyOID,
          CERT_TRUST_IS_NOT_VALID_FOR_USAGE, &pPolicyStatus->lChainIndex,
          &pPolicyStatus->lElementIndex);
     }
+    if (!pPolicyStatus->dwError &&
+     pChainContext->TrustStatus.dwErrorStatus &
+     CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT &&
+     !(checks & CERT_CHAIN_POLICY_IGNORE_NOT_SUPPORTED_CRITICAL_EXT_FLAG))
+    {
+        pPolicyStatus->dwError = CERT_E_CRITICAL;
+        find_element_with_error(pChainContext,
+         CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT, &pPolicyStatus->lChainIndex,
+         &pPolicyStatus->lElementIndex);
+    }
     return TRUE;
 }
 
@@ -3377,6 +3387,14 @@ static BOOL WINAPI verify_ssl_policy(LPCSTR szPolicyOID,
          CERT_TRUST_IS_OFFLINE_REVOCATION, &pPolicyStatus->lChainIndex,
          &pPolicyStatus->lElementIndex);
     }
+    else if (pChainContext->TrustStatus.dwErrorStatus &
+     CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT)
+    {
+        pPolicyStatus->dwError = CERT_E_CRITICAL;
+        find_element_with_error(pChainContext,
+         CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT, &pPolicyStatus->lChainIndex,
+         &pPolicyStatus->lElementIndex);
+    }
     else
         pPolicyStatus->dwError = NO_ERROR;
     /* We only need bother checking whether the name in the end certificate

dlls/crypt32/tests/chain.c

@@ -3964,7 +3964,7 @@ static const ChainPolicyCheck stanfordPolicyCheckWithoutMatchingName = {
 
 static const ChainPolicyCheck invalidExtensionPolicyCheck = {
  { sizeof(chain30) / sizeof(chain30[0]), chain30 },
- { 0, CERT_E_CRITICAL, 0, 1, NULL}, NULL, TODO_ERROR
+ { 0, CERT_E_CRITICAL, 0, 1, NULL}, NULL, 0
 };
 
 static const ChainPolicyCheck authenticodePolicyCheck[] = {