Imort system certificates in crypt32 at Wine
Jacek Caban
jacek at codeweavers.com
Sun Oct 16 15:06:42 CDT 2016
Hi Donat,
On 10/16/16 9:34 PM, Donat Enikeev wrote:
> Hi Jacek,
>
>> I agree that hardcoded paths are not nice, but if we don't have
>> better generic solution, we have to live with that
>
> So, could expressing certificates into registry once and beforehand
> during wine-prefix creation - be that one "better generic solution"? I
> think I could spend some time on it, if that considered a right way to go
This solution would change nothing in that regards - you still need
hardcoded list of paths to do the import. You would just use it slightly
differently.
Also, I did not say to do that for wine prefix creation. User may
intentionally remove a certificate in host system after wineserver is
created and we should reflect that in Wine (not to mention moving wine
prefix to another machine). That's why I suggested using
REG_OPTION_VIOLATILE - so that registry keys would be gone when
wineserver terminates (aka. Windows shutdown) and we'd recreate them the
next time root store is created.
And yes, I would consider such solution better.
>> How about instead of current CRYPT_RootOpenStore call, we'd create
>> registry entries expressing system certificates using
>> REG_OPTION_VIOLATILE once for Wine session?
>
> That will work as well, but would require another custom wine-specific
> piece of code for the certificates import using that flag for registry
> keys OR passing special flag to the existing Store management functions.
I'm not sure why you need more that we already have. We already have
special handling for root store in CRYPT_SysRegOpenStoreW. You could
just change it to call new import_system_certs function and continue
like for other stores instead of calling CRYPT_RootOpenStore and returning.
> In general, if sticking to the current way of implementation is the
> most reasonable option in the context, just proper handling of flags
> and priorities for collections is required (following Remarks at
> https://msdn.microsoft.com/en-us/library/windows/desktop/aa376022(v=vs.85).aspx
> ), so the collection will forward added certificates to the
> appropriate store: registry one with RW access, not the memory based
> created by CRYPT_RootOpenStore with RO access
I would need deeper look at the code to comment that. However, note that
with that we'd use registry stores that are already used for non-root
cases. That said, I wouldn't be surprised if you find that existing code
would needs fixes.
Thanks,
Jacek
More information about the wine-devel
mailing list