[Bug 47785] New: CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG not taken into account

[WineHQ Bugzilla]

https://bugs.winehq.org/show_bug.cgi?id=47785

            Bug ID: 47785
           Summary: CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG not taken
                    into account
           Product: Wine
           Version: 4.16
          Hardware: x86
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: crypt32
          Assignee: wine-bugs at winehq.org
          Reporter: lois.diqual at gmail.com
      Distribution: ---

Created attachment 65274
  --> https://bugs.winehq.org/attachment.cgi?id=65274
c# program that verifies an expired certificate using IgnoreNotTimeValid

I am debugging a C# program that validates a certificate chain using
X509VerificationFlags.IgnoreNotTimeValid. The provided certificate is expired,
but it shouldn't matter because of this flag.

The chain validates properly on MacOS with Mono.
However on Wine with dotnet472, the policy fails with error NotTimeValid.

I believe there is a bug in `chain.c verify_base_policy`:
https://github.com/wine-mirror/wine/blob/e6138a52a907fe4b9b03abe0b6cf6cfb9fbc886b/dlls/crypt32/chain.c#L3033-L3040.
In this if statement, the policy verification routine determines that the
certificate has expired, but it should ignore the error if `checks` contains
`CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG`, and this logic is missing.

To reproduce:
 - Create a wine prefix with dotnet472 using winetricks
 - Go to drive_c/windows/Microsoft.NET/Framework/v4.0.30319 and copy verify.cs
in there
 - Compile verify.cs: wine csc.exe
/reference:"C:\windows/Microsoft.NET/Framework/v4.0.30319/WPF/WindowsBase.dll"
verify.cs
 - Run: wine verify.exe
 - It should print "Valid cert" but instead prints "Invalid cert" with
NotTimeValid.

-- 
Do not reply to this email, post in Bugzilla using the
above URL to reply.
You are receiving this mail because:
You are watching all bug changes.