Index: /trunk/src/VBox/Runtime/common/crypto/x509-certpaths.cpp
===================================================================
--- /trunk/src/VBox/Runtime/common/crypto/x509-certpaths.cpp	(revision 84669)
+++ /trunk/src/VBox/Runtime/common/crypto/x509-certpaths.cpp	(revision 84670)
@@ -571,4 +571,21 @@
 }
 
+/**
+ * Helper for checking whether a certificate is in the trusted store or not.
+ */
+static bool rtCrX509CertPathsIsCertInStore(PRTCRX509CERTPATHNODE pNode, RTCRSTORE hStore)
+{
+    bool fRc = false;
+    PCRTCRCERTCTX pCertCtx = RTCrStoreCertByIssuerAndSerialNo(hStore, &pNode->pCert->TbsCertificate.Issuer,
+                                                              &pNode->pCert->TbsCertificate.SerialNumber);
+    if (pCertCtx)
+    {
+        if (pCertCtx->pCert)
+            fRc = RTCrX509Certificate_Compare(pCertCtx->pCert, pNode->pCert) == 0;
+        RTCrCertCtxRelease(pCertCtx);
+    }
+    return fRc;
+}
+
 /** @}  */
 
@@ -579,9 +596,4 @@
  */
 
-/**
- *
- * @returns
- * @param   pThis               .
- */
 static PRTCRX509CERTPATHNODE rtCrX509CertPathsNewNode(PRTCRX509CERTPATHSINT pThis)
 {
@@ -919,4 +931,13 @@
         pCur->uDepth = 0;
         pCur->uSrc   = RTCRX509CERTPATHNODE_SRC_TARGET;
+
+        /* Check if the target is trusted and do the upgrade (this is outside the RFC,
+           but this simplifies the path validator usage a lot (less work for the caller)). */
+        if (   pThis->pTrustedCert
+            && RTCrX509Certificate_Compare(pThis->pTrustedCert, pCur->pCert) == 0)
+            pCur->uSrc = RTCRX509CERTPATHNODE_SRC_TRUSTED_CERT;
+        else if (   pThis->hTrustedStore != NIL_RTCRSTORE
+                 && rtCrX509CertPathsIsCertInStore(pCur, pThis->hTrustedStore))
+            pCur->uSrc = RTCRX509CERTPATHNODE_SRC_TRUSTED_STORE;
 
         pThis->pErrInfo = pErrInfo;
@@ -1195,4 +1216,10 @@
             else if (uVerbosity >= 3)
                 RTAsn1Dump(&pCurLeaf->pCert->TbsCertificate.T3.Extensions.SeqCore.Asn1Core, 0, iIndent, pfnPrintfV, pvUser);
+
+            rtDumpIndent(pfnPrintfV, pvUser, iIndent, "Valid  : %s thru %s\n",
+                         RTTimeToString(&pCurLeaf->pCert->TbsCertificate.Validity.NotBefore.Time,
+                                        pThis->szTmp, sizeof(pThis->szTmp) / 2),
+                         RTTimeToString(&pCurLeaf->pCert->TbsCertificate.Validity.NotAfter.Time,
+                                        &pThis->szTmp[sizeof(pThis->szTmp) / 2], sizeof(pThis->szTmp) / 2) );
         }
         else