Added patch to fix root certificate check in CERT_CHAIN_REVOCATION_CHECK_CHAIN.

2025-09-12 18:50:20 -07:00 · 2016-11-16 00:07:53 +01:00
parent dcc28e042c
commit 5b403d94e2
3 changed files with 63 additions and 0 deletions
--- a/patches/crypt32-Certificate_Check/0001-crypt32-Properly-check-root-certificate-in-CERT_CHAI.patch
+++ b/patches/crypt32-Certificate_Check/0001-crypt32-Properly-check-root-certificate-in-CERT_CHAI.patch
@@ -0,0 +1,43 @@
+From bba53bba66f4ca7b8726424e8215854a657c024a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michael=20M=C3=BCller?= <michael@fds-team.de>
+Date: Tue, 15 Nov 2016 23:50:23 +0100
+Subject: crypt32: Properly check root certificate in
+ CERT_CHAIN_REVOCATION_CHECK_CHAIN.
+
+CA certificates do not have a parent which defines a CRL, but Windows seems to require
+that CA certificates are self signed. We therefore should set pIssuerCert to the
+CA certificate itself before calling CertVerifyRevocation. On windows the function
+does not seem to fail if no CRL could be found, so ignore this error for now.
+---
+ dlls/crypt32/chain.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
+index aab2e91..80b6513 100644
+--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
+@@ -2704,10 +2704,20 @@ static void CRYPT_VerifyChainRevocation(PCERT_CHAIN_CONTEXT chain,
+                     revocationPara.pIssuerCert =
+                      chain->rgpChain[i]->rgpElement[j + 1]->pCertContext;
+                 else
+-                    revocationPara.pIssuerCert = NULL;
+                    revocationPara.pIssuerCert = certToCheck;
+
+                 ret = CertVerifyRevocation(X509_ASN_ENCODING,
+                  CERT_CONTEXT_REVOCATION_TYPE, 1, (void **)&certToCheck,
+                  revocationFlags, &revocationPara, &revocationStatus);
+
+                if (!ret && revocationStatus.dwError == CRYPT_E_NO_REVOCATION_CHECK &&
+                    revocationPara.pIssuerCert == certToCheck)
+                {
+                    FIXME("Unable to find CRL for CA certificate\n");
+                    ret = TRUE;
+                    revocationStatus.dwError = 0;
+                }
+
+                 if (!ret)
+                 {
+                     PCERT_CHAIN_ELEMENT element = CRYPT_FindIthElementInChain(
+-- 
+2.9.0
+
--- a/patches/crypt32-Certificate_Check/definition
+++ b/patches/crypt32-Certificate_Check/definition
@@ -0,0 +1 @@
+Fixes: [41652] Fix root certificate check in CERT_CHAIN_REVOCATION_CHECK_CHAIN
				`@@ -0,0 +1 @@`
				`Fixes: [41652] Fix root certificate check in CERT_CHAIN_REVOCATION_CHECK_CHAIN`