2 files changed, 18 insertions, 9 deletions

diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc
index 52a6980..4d8b719 100644
--- a/net/base/x509_certificate_unittest.cc
+++ b/net/base/x509_certificate_unittest.cc
@@ -1641,11 +1641,9 @@ const WeakDigestTestData kVerifyIncompleteIntermediateTestData[] = {
   { NULL, "weak_digest_md2_intermediate.pem", "weak_digest_sha1_ee.pem",
     false, false, true, false, true },
 };
-// Disabled on Windows - http://crbug.com/101123. The Windows implementation
-// does not report the status of the last intermediate for incomplete chains.
 // Disabled on NSS - libpkix does not return constructed chains on error,
 // preventing us from detecting/inspecting the verified chain.
-#if defined(OS_WIN) || defined(USE_NSS)
+#if defined(USE_NSS)
 #define MAYBE_VerifyIncompleteIntermediate \
     DISABLED_VerifyIncompleteIntermediate
 #else
diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc
index 4f27836..4f0d40c 100644
--- a/net/base/x509_certificate_win.cc
+++ b/net/base/x509_certificate_win.cc
@@ -330,11 +330,22 @@ void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,
   PCCERT_CONTEXT verified_cert = NULL;
   std::vector<PCCERT_CONTEXT> verified_chain;
 
+  bool has_root_ca = num_elements > 1 &&
+      !(chain_context->TrustStatus.dwErrorStatus &
+          CERT_TRUST_IS_PARTIAL_CHAIN);
+
   // Each chain starts with the end entity certificate (i = 0) and ends with
-  // the root CA certificate (i = num_elements - 1).  Do not inspect the
-  // signature algorithm of the root CA certificate because the signature on
-  // the trust anchor is not important.
-  for (int i = 0; i < num_elements - 1; ++i) {
+  // either the root CA certificate or the last available intermediate. If a
+  // root CA certificate is present, do not inspect the signature algorithm of
+  // the root CA certificate because the signature on the trust anchor is not
+  // important.
+  if (has_root_ca) {
+    // If a full chain was constructed, regardless of whether it was trusted,
+    // don't inspect the root's signature algorithm.
+    num_elements -= 1;
+  }
+
+  for (int i = 0; i < num_elements; ++i) {
     PCCERT_CONTEXT cert = element[i]->pCertContext;
     if (i == 0) {
       verified_cert = cert;
@@ -361,8 +372,8 @@ void GetCertChainInfo(PCCERT_CHAIN_CONTEXT chain_context,
 
   if (verified_cert) {
     // Add the root certificate, if present, as it was not added above.
-    if (num_elements > 1)
-      verified_chain.push_back(element[num_elements - 1]->pCertContext);
+    if (has_root_ca)
+      verified_chain.push_back(element[num_elements]->pCertContext);
     verify_result->verified_cert =
           X509Certificate::CreateFromHandle(verified_cert, verified_chain);
   }