SUPPORT-8703. Правки в проверке цепочки сертификатов

2024-11-18 13:06:24 +03:00 · 2024-11-18 13:06:24 +03:00 · c660ea5fdf
commit c660ea5fdf
parent a8ea62eff6
1 changed files with 11 additions and 30 deletions
--- a/src/utils/cryptopro.c
+++ b/src/utils/cryptopro.c
@ -103,18 +103,17 @@ get_cert_chain(PCCERT_CONTEXT certificate)


    if (!cp_function_list.CertGetCertificateChain(NULL, 
-                                                    certificate, 
-                                                    NULL, 
-                                                    NULL, 
-                                                    &chain_para,
-                                                    (CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT),
-                                                    NULL, 
-                                                    &chain_ctx)) {
+                    certificate, 
+                    NULL, 
+                    NULL, 
+                    &chain_para,
+                    (CERT_CHAIN_CACHE_END_CERT | CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT),
+                    NULL, 
+                    &chain_ctx)) {
        LOG_ERROR("CertGetCertificateChain() failed");
        goto error;
    }
-    LOG_DEBUG("Trust error status: '0x%08x'", chain_ctx->TrustStatus.dwErrorStatus);
-    LOG_DEBUG("Trust info status: '0x%08x'", chain_ctx->TrustStatus.dwInfoStatus);
+
    if (chain_ctx->TrustStatus.dwErrorStatus) {
        LOG_WARN("The certificate is not trusted. CERT_TRUST_STATUS: '0x%08x'", 
                    chain_ctx->TrustStatus.dwErrorStatus);
@ -130,21 +129,6 @@ error:
    return NULL;
 }

-static const char* 
-get_cert_chain_policy_status_error_desc(DWORD err)
-{
-    // TODO-8703
-    switch(err) {
-        case CERT_E_UNTRUSTEDROOT:
-            return "CERT_E_UNTRUSTEDROOT";
-        case CERT_E_CHAINING:
-            return "CERT_E_CHAINING";
-        default:
-            break;
-    }
-    return "Unknown error";
-}
-
 static bool
 check_cert_chain_policy(PCCERT_CHAIN_CONTEXT chain_ctx)
 {
@ -164,8 +148,7 @@ check_cert_chain_policy(PCCERT_CHAIN_CONTEXT chain_ctx)
    status.pvExtraPolicyStatus = &extraStatus;

    if (!cp_function_list.CertVerifyCertificateChainPolicy(
-            CERT_CHAIN_POLICY_BASE, 
-            // TODO-8703: CPCERT_CHAIN_POLICY_SIGNATURE 
+            CPCERT_CHAIN_POLICY_SIGNATURE,
            chain_ctx, 
            &policy_para,
            &status)) {
@ -176,15 +159,13 @@ check_cert_chain_policy(PCCERT_CHAIN_CONTEXT chain_ctx)

    if (status.dwError != 0) {
        LOG_WARN("The certificate chain cannot be validated. "
-                 "CertVerifyCertificateChainPolicy status: %s('0x%08x')", 
-                    get_cert_chain_policy_status_error_desc(status.dwError), status.dwError);
+                 "CERT_CHAIN_POLICY_STATUS: '0x%08x'", status.dwError);
        goto exit;
    }

    if (extraStatus.dwError != 0) {
        LOG_WARN("The certificate chain cannot be validated. "
-                 "CertVerifyCertificateChainPolicy extra status: %s('0x%08x')", 
-                    get_cert_chain_policy_status_error_desc(status.dwError), status.dwError);
+                 "CPSIGNATURE_EXTRA_CERT_CHAIN_POLICY_STATUS: '0x%08x'", extraStatus.dwError);
        goto exit;
    }