crypt32: Fix error handling for cyclic chains.
diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 534d6ae..d086fe6 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -251,7 +251,7 @@
if (cyclicCertIndex)
{
chain->rgpElement[cyclicCertIndex]->TrustStatus.dwErrorStatus
- |= CERT_TRUST_IS_CYCLIC;
+ |= CERT_TRUST_IS_CYCLIC | CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
/* Release remaining certs */
for (i = cyclicCertIndex + 1; i < chain->cElement; i++)
CRYPT_FreeChainElement(chain->rgpElement[i]);
@@ -766,6 +766,15 @@
constraints.dwPathLenConstraint--;
}
}
+ if (CRYPT_IsSimpleChainCyclic(chain))
+ {
+ /* If the chain is cyclic, then the path length constraints
+ * are violated, because the chain is infinitely long.
+ */
+ pathLengthConstraintViolated = TRUE;
+ chain->TrustStatus.dwErrorStatus |=
+ CERT_TRUST_INVALID_BASIC_CONSTRAINTS;
+ }
/* FIXME: check valid usages */
CRYPT_CombineTrustStatus(&chain->TrustStatus,
&chain->rgpElement[i]->TrustStatus);
diff --git a/dlls/crypt32/tests/chain.c b/dlls/crypt32/tests/chain.c
index 1a10702..eb8db2c 100644
--- a/dlls/crypt32/tests/chain.c
+++ b/dlls/crypt32/tests/chain.c
@@ -1521,7 +1521,7 @@
{ CERT_TRUST_HAS_NOT_SUPPORTED_NAME_CONSTRAINT |
CERT_TRUST_INVALID_BASIC_CONSTRAINTS | CERT_TRUST_IS_CYCLIC, 0 },
1, simpleStatus9 },
- TODO_ERROR | TODO_INFO },
+ TODO_INFO },
{ { sizeof(chain10) / sizeof(chain10[0]), chain10 },
{ { 0, CERT_TRUST_HAS_PREFERRED_ISSUER },
{ CERT_TRUST_IS_UNTRUSTED_ROOT, 0 }, 1, simpleStatus10 }, 0 },
@@ -1743,8 +1743,7 @@
{ 0, TRUST_E_BASIC_CONSTRAINTS, 0, 1, NULL },
TODO_ERROR | TODO_CHAINS | TODO_ELEMENTS },
{ { sizeof(chain9) / sizeof(chain9[0]), chain9 },
- { 0, TRUST_E_BASIC_CONSTRAINTS, 0, 1, NULL },
- TODO_ERROR | TODO_CHAINS | TODO_ELEMENTS },
+ { 0, TRUST_E_BASIC_CONSTRAINTS, 0, 1, NULL }, 0 },
{ { sizeof(chain10) / sizeof(chain10[0]), chain10 },
{ 0, 0, -1, -1, NULL }, 0 },
{ { sizeof(chain11) / sizeof(chain11[0]), chain11 },