[1/2] dlls/crypt32: implement PFXImportCertStore()

Juan Lang juan.lang at gmail.com
Thu Mar 25 11:14:28 CDT 2010

Hi Philippe,

>> You accept the PKCS12 file even if the password is incorrect.  This is
>> clearly wrong.
> It is not accepted. If the verification fails, ERR is spewed out and the next step (parse, below) will fail as well.

Is this how Windows fails?  That is, with a parse error?  Please add a
test to cover this case.

>> You don't support more than a single certificate in the PKCS12 file.
>> This may be fine for the majority of uses, but at least a warning
>> indicating more certificates are present would be helpful.
> Hmmm. How do you suggest I do that? From <http://www.openssl.org/docs/crypto/PKCS12_parse.html> I get this:
>    BUGS
>    Only a single private key and corresponding certificate is returned by this function. More complex PKCS#12
>    files with multiple private keys will only return the first match.

Look at the 5th parameter of PKCS12_parse.  It's true that OpenSSL
will only return a single certificate with a private key, but not
every certificate in a PKCS12 file need contain a private key.

>> Also, a
>> PKCS12 file can contain more than just certificates, and the tests
>> ought at least to check this.  For example, what about a PKCS12 file
>> with a CRL in it?
> I have not seen, nor needed to implement this, so I'm not sure how to test for it. Maybe add a comment to the test? Or a wine_todo test so we don't lose this information?

Test for it the way you should any Wine test:  on Windows.  Create a
store with a CRL in it, export it to a PKCS12 file, and use that as
your test case.

>> The Crypto API also supports setting such attributes, and if you
>> aren't going to support these, at least the tests should cover them
>> (and marked todo_wine) so we know they're still not done.
> Same answer. I guess I can update the test set with more wine_todo().

Yes, I'd appreciate that.

> If you create a store with no name, you run the risk of it not being created (if there is another store with no name).

Not for a memory store, it's just a linked list.

More information about the wine-devel mailing list