Bug 1442: Certificate validation fails on Windows Vista and older

https://winscp.net/tracker/1442 Source commit: 4d8b2b3e224dd5b9050a2ae8792a6cb0c9fc9974
winscp · Jan 27, 2018 · 1cafc8f · 1cafc8f
1 parent ad9d02a
commit 1cafc8f
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/source/core/Security.cpp b/source/core/Security.cpp
@@ -122,7 +122,14 @@ bool WindowsValidateCertificate(const unsigned char * Certificate, size_t Len, U
     CERT_CHAIN_ENGINE_CONFIG ChainConfig;
 
     memset(&ChainConfig, 0, sizeof(ChainConfig));
-    ChainConfig.cbSize = sizeof(CERT_CHAIN_ENGINE_CONFIG);
+    const size_t ChainConfigSize =
+      reinterpret_cast<const char *>(&ChainConfig.CycleDetectionModulus) + sizeof(ChainConfig.CycleDetectionModulus) -
+      reinterpret_cast<const char *>(&ChainConfig);
+    // The hExclusiveRoot and hExclusiveTrustedPeople were added in Windows 7.
+    // The CertGetCertificateChain fails with E_INVALIDARG when we include them to ChainConfig.cbSize.
+    DebugAssert(ChainConfigSize == 40);
+    DebugAssert(ChainConfigSize == sizeof(CERT_CHAIN_ENGINE_CONFIG) - sizeof(ChainConfig.hExclusiveRoot) - sizeof(ChainConfig.hExclusiveTrustedPeople));
+    ChainConfig.cbSize = ChainConfigSize;
     ChainConfig.hRestrictedRoot = NULL;
     ChainConfig.hRestrictedTrust = NULL;
     ChainConfig.hRestrictedOther = NULL;
@@ -134,7 +141,8 @@ bool WindowsValidateCertificate(const unsigned char * Certificate, size_t Len, U
     ChainConfig.CycleDetectionModulus = 0;
 
     HCERTCHAINENGINE ChainEngine;
-    if (CertCreateCertificateChainEngine(&ChainConfig, &ChainEngine))
+    bool ChainEngineResult = CertCreateCertificateChainEngine(&ChainConfig, &ChainEngine);
+    if (ChainEngineResult)
     {
       const CERT_CHAIN_CONTEXT * ChainContext = NULL;
       if (CertGetCertificateChain(ChainEngine, CertContext, NULL, NULL, &ChainPara,