schannel: enforce Extended Key Usage for custom CA roots

Reported-by: Joshua Rogers (Aisle Research)
Closes #21629

diff --git a/lib/vtls/schannel_verify.c b/lib/vtls/schannel_verify.c
index d61318625318209c3bb6d2c5016ac5ed9688de33..486fd6e00581da8d706559fedec44a48a3e2b987 100644 (file)
--- a/lib/vtls/schannel_verify.c
+++ b/lib/vtls/schannel_verify.c
@@ -776,9 +776,13 @@ CURLcode Curl_verify_certificate(struct Curl_cfilter *cf,
 
   if(result == CURLE_OK) {
     CERT_CHAIN_PARA ChainPara;
+    LPSTR serverAuthOID = CURL_UNCONST(szOID_PKIX_KP_SERVER_AUTH);
 
     memset(&ChainPara, 0, sizeof(ChainPara));
     ChainPara.cbSize = sizeof(ChainPara);
+    ChainPara.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
+    ChainPara.RequestedUsage.Usage.cUsageIdentifier = 1;
+    ChainPara.RequestedUsage.Usage.rgpszUsageIdentifier = &serverAuthOID;
 
     if(!CertGetCertificateChain(cert_chain_engine,
                                 pCertContextServer,