Imort system certificates in crypt32 at Wine

Donat Enikeev donat at enikeev.net
Sun Oct 16 13:55:42 CDT 2016 

[Resending in plain/text, apologies for html]
Hi Guys,

Watched video recently from WineConf 2015, and results around opening 
community looks really promising, so I am performing 3rd
attempt to be useful here :)

The bug https://bugs.winehq.org/show_bug.cgi?id=30187 : Cisco IP 
Communicator failing to setup due to 'certmgr.exe' tool fails to 
install certificate to the system-wide trusted certificate store.

Wine uses registry-based certificates stores by default, but treats 
HKLM\Root store as a special case: whenever app opens such store, 
Crypt32 goes through hard-coded paths in rootstore.c:

static const char * const CRYPT_knownLocations[] = {
"/etc/ssl/certs/ca-certificates.crt", "/etc/ssl/certs", ... };

And adds all found certificates to the special store. In the context of 
bug, this special-case store doesn't support adding certificates, and 
thus Cisco IP fails to install.

So a backward compatible patch (attached) that just fixes this bug 
looks straightforward: make a stores collection, add there HKLM\Root
certificates registry store first and then, add that system store with 
certificates from the environment. And return the resulting collection 
as a store to work with. It will allow applications do whatever they 
used to with certificates, keeping all the linux certificates available 
for verification of any kind.

The problem with this approach is that current wine crypt32 doesn't 
actually save certificates that were added to a collection of stores
(the test for this attached), while Win does. Although it could be 
fixed with a different patch in one function, but I would like to hear 
your thoughts first around following questions:

1. Does this backward-compatible patch-set make sense at all and worth 
proceeding? Probably you have some ongoing activities

2. Do you still think that wine should import system certificates 
during HKLM\Root request at all, not just shipping with those from
typical windows installation?

3. Have you considered different approach of utilizing system 
certificates in Wine? For example, import all system certificates to
the *registry* during wine-prefix initialization process, and work with 
them from there in a way windows does (even native crypt32 will benefit 
from this approach). That will allow to unify and simplify crypt32 and 
remove all that arguable hard-coded paths in the code, and bring more 
familiar environment to the windows application and, at the same time, 
isolation.

Please share your thoughts,
Donnie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-test-save-cert-in-collection.patch
Type: text/x-patch
Size: 7636 bytes
Desc: not available
URL: <http://www.winehq.org/pipermail/wine-devel/attachments/20161016/d6902b26/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Merging-systems-certificates-with-HKLM-root-for-apps.patch
Type: text/x-patch
Size: 3088 bytes
Desc: not available
URL: <http://www.winehq.org/pipermail/wine-devel/attachments/20161016/d6902b26/attachment-0001.bin>

More information about the wine-devel mailing list