Original patch by Michael Müller.
Root certificates don't have CRL Distribution Point or Authority Info Access field.
Don't report error with CERT_CHAIN_REVOCATION_CHECK_CHAIN in
CertGetCertificateChain()
because of this.
Signed-off-by: Zhiyi Zhang <zzhang(a)codeweavers.com>
---
dlls/crypt32/chain.c | 8 ++++++++
dlls/crypt32/tests/chain.c | 6 +++---
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index d7015d797d..f77010a0fa 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -2698,6 +2698,14 @@ static void CRYPT_VerifyChainRevocation(PCERT_CHAIN_CONTEXT chain,
ret = CertVerifyRevocation(X509_ASN_ENCODING,
CERT_CONTEXT_REVOCATION_TYPE, 1, (void **)&certToCheck,
revocationFlags, &revocationPara, &revocationStatus);
+
+ if (!ret && revocationStatus.dwError ==
CRYPT_E_NO_REVOCATION_CHECK
+ && revocationPara.pIssuerCert == NULL)
+ {
+ WARN("Unable to find CRL or AIA for CA certificate\n");
+ ret = TRUE;
+ }
+
if (!ret)
{
PCERT_CHAIN_ELEMENT element = CRYPT_FindIthElementInChain(
diff --git a/dlls/crypt32/tests/chain.c b/dlls/crypt32/tests/chain.c
index c997068a06..3503eb3e92 100644
--- a/dlls/crypt32/tests/chain.c
+++ b/dlls/crypt32/tests/chain.c
@@ -4153,9 +4153,9 @@ static void testGetCertChain(void)
ret = CertGetCertificateChain(NULL, cert, &fileTime, store, ¶,
CERT_CHAIN_REVOCATION_CHECK_CHAIN, NULL, &chain);
ok(ret, "CertGetCertificateChain failed: %u\n", GetLastError());
- todo_wine ok(!chain->TrustStatus.dwErrorStatus
- || broken(chain->TrustStatus.dwErrorStatus ==
CERT_TRUST_REVOCATION_STATUS_UNKNOWN), /* XP */
- "chain->TrustStatus.dwErrorStatus = %x\n",
chain->TrustStatus.dwErrorStatus);
+ ok(!chain->TrustStatus.dwErrorStatus
+ || broken(chain->TrustStatus.dwErrorStatus ==
CERT_TRUST_REVOCATION_STATUS_UNKNOWN), /* XP */
+ "chain->TrustStatus.dwErrorStatus = %x\n",
chain->TrustStatus.dwErrorStatus);
ret = CertGetCertificateChain(NULL, cert, &fileTime, store, ¶,
CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT,
NULL, &chain);
--
2.18.0
Show replies by date
Hi,
While running your changed tests on Windows, I think I found new failures.
Being a bot and all I'm not very good at pattern recognition, so I might be
wrong, but could you please double-check?
Full results can be found at:
https://testbot.winehq.org/JobDetails.pl?Key=40984
Your paranoid android.
=== w1064 (64 bit chain) ===
chain.c:4152: Test failed: chain->TrustStatus.dwErrorStatus = 1000040
chain.c:4156: Test failed: chain->TrustStatus.dwErrorStatus = 1000040
chain.c:4163: Test failed: chain->TrustStatus.dwErrorStatus = 1000040
Same patch in
https://testbot.winehq.org/JobDetails.pl?Key=40988 but no error.
Probably a network issue causing it fail to get a CRL.
On Tue 8 21 21:57, Marvin wrote:
Hi,
While running your changed tests on Windows, I think I found new failures.
Being a bot and all I'm not very good at pattern recognition, so I might be
wrong, but could you please double-check?
Full results can be found at:
https://testbot.winehq.org/JobDetails.pl?Key=40984
Your paranoid android.
=== w1064 (64 bit chain) ===
chain.c:4152: Test failed: chain->TrustStatus.dwErrorStatus = 1000040
chain.c:4156: Test failed: chain->TrustStatus.dwErrorStatus = 1000040
chain.c:4163: Test failed: chain->TrustStatus.dwErrorStatus = 1000040