diff --git a/patches/crypt32-Certificate_Check/0001-crypt32-Properly-check-root-certificate-in-CERT_CHAI.patch b/patches/crypt32-Certificate_Check/0001-crypt32-Properly-check-root-certificate-in-CERT_CHAI.patch new file mode 100644 index 00000000..45e837d6 --- /dev/null +++ b/patches/crypt32-Certificate_Check/0001-crypt32-Properly-check-root-certificate-in-CERT_CHAI.patch @@ -0,0 +1,43 @@ +From bba53bba66f4ca7b8726424e8215854a657c024a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michael=20M=C3=BCller?= +Date: Tue, 15 Nov 2016 23:50:23 +0100 +Subject: crypt32: Properly check root certificate in + CERT_CHAIN_REVOCATION_CHECK_CHAIN. + +CA certificates do not have a parent which defines a CRL, but Windows seems to require +that CA certificates are self signed. We therefore should set pIssuerCert to the +CA certificate itself before calling CertVerifyRevocation. On windows the function +does not seem to fail if no CRL could be found, so ignore this error for now. +--- + dlls/crypt32/chain.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c +index aab2e91..80b6513 100644 +--- a/dlls/crypt32/chain.c ++++ b/dlls/crypt32/chain.c +@@ -2704,10 +2704,20 @@ static void CRYPT_VerifyChainRevocation(PCERT_CHAIN_CONTEXT chain, + revocationPara.pIssuerCert = + chain->rgpChain[i]->rgpElement[j + 1]->pCertContext; + else +- revocationPara.pIssuerCert = NULL; ++ revocationPara.pIssuerCert = certToCheck; ++ + ret = CertVerifyRevocation(X509_ASN_ENCODING, + CERT_CONTEXT_REVOCATION_TYPE, 1, (void **)&certToCheck, + revocationFlags, &revocationPara, &revocationStatus); ++ ++ if (!ret && revocationStatus.dwError == CRYPT_E_NO_REVOCATION_CHECK && ++ revocationPara.pIssuerCert == certToCheck) ++ { ++ FIXME("Unable to find CRL for CA certificate\n"); ++ ret = TRUE; ++ revocationStatus.dwError = 0; ++ } ++ + if (!ret) + { + PCERT_CHAIN_ELEMENT element = CRYPT_FindIthElementInChain( +-- +2.9.0 + diff --git a/patches/crypt32-Certificate_Check/definition b/patches/crypt32-Certificate_Check/definition new file mode 100644 index 00000000..596d62bf --- /dev/null +++ b/patches/crypt32-Certificate_Check/definition @@ -0,0 +1 @@ +Fixes: [41652] Fix root certificate check in CERT_CHAIN_REVOCATION_CHECK_CHAIN diff --git a/patches/patchinstall.sh b/patches/patchinstall.sh index 001b70ec..05878450 100755 --- a/patches/patchinstall.sh +++ b/patches/patchinstall.sh @@ -104,6 +104,7 @@ patch_enable_all () enable_comdlg32_lpstrFileTitle="$1" enable_configure_Absolute_RPATH="$1" enable_crypt32_CMS_Certificates="$1" + enable_crypt32_Certificate_Check="$1" enable_crypt32_CryptUnprotectMemory="$1" enable_d2d1_Tests="$1" enable_d3d10_1_Forwards="$1" @@ -498,6 +499,9 @@ patch_enable () crypt32-CMS_Certificates) enable_crypt32_CMS_Certificates="$2" ;; + crypt32-Certificate_Check) + enable_crypt32_Certificate_Check="$2" + ;; crypt32-CryptUnprotectMemory) enable_crypt32_CryptUnprotectMemory="$2" ;; @@ -2949,6 +2953,21 @@ if test "$enable_crypt32_CMS_Certificates" -eq 1; then ) >> "$patchlist" fi +# Patchset crypt32-Certificate_Check +# | +# | This patchset fixes the following Wine bugs: +# | * [#41652] Fix root certificate check in CERT_CHAIN_REVOCATION_CHECK_CHAIN +# | +# | Modified files: +# | * dlls/crypt32/chain.c +# | +if test "$enable_crypt32_Certificate_Check" -eq 1; then + patch_apply crypt32-Certificate_Check/0001-crypt32-Properly-check-root-certificate-in-CERT_CHAI.patch + ( + echo '+ { "Michael Müller", "crypt32: Properly check root certificate in CERT_CHAIN_REVOCATION_CHECK_CHAIN.", 1 },'; + ) >> "$patchlist" +fi + # Patchset crypt32-CryptUnprotectMemory # | # | Modified files: