Added patch to fix root certificate check in CERT_CHAIN_REVOCATION_CHECK_CHAIN.

2024-11-21 16:46:54 -08:00 · 2016-11-16 00:07:53 +01:00 · 2016-11-16 00:07:53 +01:00 · 5b403d94e2
commit 5b403d94e2
parent dcc28e042c
3 changed files with 63 additions and 0 deletions
--- a/patches/crypt32-Certificate_Check/0001-crypt32-Properly-check-root-certificate-in-CERT_CHAI.patch
+++ b/patches/crypt32-Certificate_Check/0001-crypt32-Properly-check-root-certificate-in-CERT_CHAI.patch
@ -0,0 +1,43 @@
+From bba53bba66f4ca7b8726424e8215854a657c024a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
+Date: Tue, 15 Nov 2016 23:50:23 +0100
+Subject: crypt32: Properly check root certificate in
+ CERT_CHAIN_REVOCATION_CHECK_CHAIN.
+
+CA certificates do not have a parent which defines a CRL, but Windows seems to require
+that CA certificates are self signed. We therefore should set pIssuerCert to the
+CA certificate itself before calling CertVerifyRevocation. On windows the function
+does not seem to fail if no CRL could be found, so ignore this error for now.
+---
+ dlls/crypt32/chain.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
+index aab2e91..80b6513 100644
+--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
+@@ -2704,10 +2704,20 @@ static void CRYPT_VerifyChainRevocation(PCERT_CHAIN_CONTEXT chain,
+                     revocationPara.pIssuerCert =
+                      chain->rgpChain[i]->rgpElement[j + 1]->pCertContext;
+                 else
+-                    revocationPara.pIssuerCert = NULL;
+                    revocationPara.pIssuerCert = certToCheck;
+
+                 ret = CertVerifyRevocation(X509_ASN_ENCODING,
+                  CERT_CONTEXT_REVOCATION_TYPE, 1, (void **)&certToCheck,
+                  revocationFlags, &revocationPara, &revocationStatus);
+
+                if (!ret && revocationStatus.dwError == CRYPT_E_NO_REVOCATION_CHECK &&
+                    revocationPara.pIssuerCert == certToCheck)
+                {
+                    FIXME("Unable to find CRL for CA certificate\n");
+                    ret = TRUE;
+                    revocationStatus.dwError = 0;
+                }
+
+                 if (!ret)
+                 {
+                     PCERT_CHAIN_ELEMENT element = CRYPT_FindIthElementInChain(
+-- 
+2.9.0
+
--- a/patches/crypt32-Certificate_Check/definition
+++ b/patches/crypt32-Certificate_Check/definition
@ -0,0 +1 @@
+Fixes: [41652] Fix root certificate check in CERT_CHAIN_REVOCATION_CHECK_CHAIN
--- a/patches/patchinstall.sh
+++ b/patches/patchinstall.sh
@ -104,6 +104,7 @@ patch_enable_all ()
 	enable_comdlg32_lpstrFileTitle="$1"
 	enable_configure_Absolute_RPATH="$1"
 	enable_crypt32_CMS_Certificates="$1"
+	enable_crypt32_Certificate_Check="$1"
 	enable_crypt32_CryptUnprotectMemory="$1"
 	enable_d2d1_Tests="$1"
 	enable_d3d10_1_Forwards="$1"
@ -498,6 +499,9 @@ patch_enable ()
 		crypt32-CMS_Certificates)
 			enable_crypt32_CMS_Certificates="$2"
 			;;
+		crypt32-Certificate_Check)
+			enable_crypt32_Certificate_Check="$2"
+			;;
 		crypt32-CryptUnprotectMemory)
 			enable_crypt32_CryptUnprotectMemory="$2"
 			;;
@ -2949,6 +2953,21 @@ if test "$enable_crypt32_CMS_Certificates" -eq 1; then
 	) >> "$patchlist"
 fi

+# Patchset crypt32-Certificate_Check
+# |
+# | This patchset fixes the following Wine bugs:
+# |   *	[#41652] Fix root certificate check in CERT_CHAIN_REVOCATION_CHECK_CHAIN
+# |
+# | Modified files:
+# |   *	dlls/crypt32/chain.c
+# |
+if test "$enable_crypt32_Certificate_Check" -eq 1; then
+	patch_apply crypt32-Certificate_Check/0001-crypt32-Properly-check-root-certificate-in-CERT_CHAI.patch
+	(
+		echo '+    { "Michael Müller", "crypt32: Properly check root certificate in CERT_CHAIN_REVOCATION_CHECK_CHAIN.", 1 },';
+	) >> "$patchlist"
+fi
+
 # Patchset crypt32-CryptUnprotectMemory
 # |
 # | Modified files:
				`@ -0,0 +1 @@`
				`Fixes: [41652] Fix root certificate check in CERT_CHAIN_REVOCATION_CHECK_CHAIN`