[Bug 58342] New: Loading/Generating SSL certificate for game server fails (PFXImportCertStore flags 00000100 not supported)
http://bugs.winehq.org/show_bug.cgi?id=58342 Bug ID: 58342 Summary: Loading/Generating SSL certificate for game server fails (PFXImportCertStore flags 00000100 not supported) Product: Wine Version: 10.9 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: crypt32 Assignee: wine-bugs(a)winehq.org Reporter: madbyte(a)tuta.io Distribution: --- Created attachment 78719 --> http://bugs.winehq.org/attachment.cgi?id=78719 wine generate log with WINEDEBUG=+crypt I'm trying to run an in-dev game server for SPTarkov: https://github.com/sp-tarkov/server-csharp The software tries to generate a new cert via the following code: https://github.com/sp-tarkov/server-csharp/blob/main/Libraries/SPTarkov.Serv... Compiling the server for Linux natively and running it works fine & a certificate.pfx file is created no issues. When running the server through wine (main use case), cert creation fails with the following lines (see attached log ''): 01c4:trace:crypt:PFXIsPFXBlob (00007F2C1898A390) 01c4:trace:crypt:CryptQueryObject returning 1 01c4:fixme:crypt:PFXImportCertStore flags 00000100 not supported System.Security.Cryptography.CryptographicException: Success. at System.Security.Cryptography.X509Certificates.X509CertificateLoader.ImportPfx(ReadOnlySpan`1 data, ReadOnlySpan`1 password, X509KeyStorageFlags keyStorageFlags) When generating a cert file via the Linux native server & then trying to run the windows server, I get the following lines: 01dc:trace:crypt:CryptQueryObject returning 1 01dc:fixme:thread:NtQueryInformationThread ThreadIdealProcessorEx info class - stub 01dc:fixme:thread:SetThreadIdealProcessorEx (FFFFFFFFFFFFFFFE 00007F2E5AB99EC0 00007F2E5AB99EC0): stub 01dc:fixme:crypt:PFXImportCertStore flags 00000100 not supported 01dc:fixme:thread:NtQueryInformationThread ThreadIdealProcessorEx info class - stub 01dc:fixme:thread:SetThreadIdealProcessorEx (FFFFFFFFFFFFFFFE 00007F2E5AB979F0 00007F2E5AB979F0): stub System.Security.Cryptography.CryptographicException: Success. at System.Security.Cryptography.X509Certificates.X509CertificateLoader.ImportPfx(ReadOnlySpan`1 data, ReadOnlySpan`1 password, X509KeyStorageFlags keyStorageFlags) Since `01dc:fixme:crypt:PFXImportCertStore flags 00000100 not supported` is in both logs, it's possible that the `PKCS12_PREFER_CNG_KSP` flag might be the issue: https://github.com/wine-mirror/wine/blob/master/include/wincrypt.h#L3993 Thanks. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=58342 --- Comment #1 from Lars Loe <madbyte(a)tuta.io> --- Created attachment 78720 --> http://bugs.winehq.org/attachment.cgi?id=78720 wine import log with WINEDEBUG=+crypt -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=58342 Lars Loe <madbyte(a)tuta.io> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |madbyte(a)tuta.io -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=58342 Lars Loe <madbyte(a)tuta.io> changed: What |Removed |Added ---------------------------------------------------------------------------- URL| |https://github.com/sp-tarko | |v/server-csharp Keywords| |dotnet, source -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=58342 --- Comment #2 from Hans Leidekker <hans(a)meelstraat.net> --- Created attachment 78727 --> http://bugs.winehq.org/attachment.cgi?id=78727 patch Right, we're returning NULL for this unsupported flag but we could ignore it since it's just a preference. Something like this patch may help. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=58342 --- Comment #3 from Dmitry Timoshkov <dmitry(a)baikal.ru> --- (In reply to Hans Leidekker from comment #2)
Created attachment 78727 [details] patch
Right, we're returning NULL for this unsupported flag but we could ignore it since it's just a preference. Something like this patch may help.
Shouldn't 'if (flags == PKCS12_PREFER_CNG_KSP)' be 'if (flags & PKCS12_PREFER_CNG_KSP)' instead? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=58342 --- Comment #4 from Hans Leidekker <hans(a)meelstraat.net> --- (In reply to Dmitry Timoshkov from comment #3)
(In reply to Hans Leidekker from comment #2)
Created attachment 78727 [details] patch
Right, we're returning NULL for this unsupported flag but we could ignore it since it's just a preference. Something like this patch may help.
Shouldn't 'if (flags == PKCS12_PREFER_CNG_KSP)' be 'if (flags & PKCS12_PREFER_CNG_KSP)' instead?
That would accept combinations of PKCS12_PREFER_CNG_KSP and unsupported flags. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=58342 --- Comment #5 from Lars Loe <madbyte(a)tuta.io> --- I think I might messed up the generate code snippet, mb. Instead of flag 0x00000100 on PFXImportCertStore it shows: 01bc:fixme:ncrypt:NCryptSetProperty flags 0x40000000 not supported 01bc:fixme:ncrypt:NCryptSetProperty flags 0x80000000 not supported 01bc:trace:crypt:CryptQueryObject (00000002, 00007F22D18AA228, 00001522, 0000000e, 00000000, 00007F22D18AA220, 00007F22D18AA260, 00007F22D18AA218, 00007F22D18AA128, 00007F22D18AA120, 00007F22D18AA118) Attachment: wine generate log with WINEDEBUG=+crypt Not sure if this might be the actual reason on cert gen. Thanks for your work :) -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=58342 Zeb Figura <z.figura12(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |z.figura12(a)gmail.com --- Comment #6 from Zeb Figura <z.figura12(a)gmail.com> --- (In reply to Hans Leidekker from comment #4)
(In reply to Dmitry Timoshkov from comment #3)
(In reply to Hans Leidekker from comment #2)
Created attachment 78727 [details] patch
Right, we're returning NULL for this unsupported flag but we could ignore it since it's just a preference. Something like this patch may help.
Shouldn't 'if (flags == PKCS12_PREFER_CNG_KSP)' be 'if (flags & PKCS12_PREFER_CNG_KSP)' instead?
That would accept combinations of PKCS12_PREFER_CNG_KSP and unsupported flags.
Not to bikeshed further, but wouldn't it be clearer (and more idiomatic?) to write if (flags & PKCS12_PREFER_CNG_KSP) FIXME("ignoring PKCS12_PREFER_CNG_KSP\n"); if (flags & ~supported) FIXME("unsupported flags %#x\n", flags & ~supported); That results in a double fixme, but both statements are true. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=58342 Lars Loe <madbyte(a)tuta.io> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #78720|0 |1 is obsolete| | --- Comment #7 from Lars Loe <madbyte(a)tuta.io> --- Created attachment 78738 --> http://bugs.winehq.org/attachment.cgi?id=78738 Import log with patch1_20250610 WINEDEBUG=+crypt -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=58342 --- Comment #8 from Lars Loe <madbyte(a)tuta.io> --- (In reply to Hans Leidekker from comment #4)
(In reply to Dmitry Timoshkov from comment #3)
(In reply to Hans Leidekker from comment #2)
Created attachment 78727 [details] patch
Right, we're returning NULL for this unsupported flag but we could ignore it since it's just a preference. Something like this patch may help.
Shouldn't 'if (flags == PKCS12_PREFER_CNG_KSP)' be 'if (flags & PKCS12_PREFER_CNG_KSP)' instead?
That would accept combinations of PKCS12_PREFER_CNG_KSP and unsupported flags.
Tried your patch file with latest wine-git. Nothing changed for cert generation, same crash log as posted above. On cert import I get further then before, but now GnuTLS fails with: 01ac:fixme:crypt:PFXImportCertStore ignoring PKCS12_PREFER_CNG_KSP 01ac:trace:crypt:gnutls_log <3> ASSERT: ../../../lib/x509/pkcs7-crypt.c[_gnutls_pkcs_raw_decrypt_data]:1234 01ac:trace:crypt:gnutls_log <3> ASSERT: ../../../lib/x509/privkey_pkcs8.c[pkcs8_key_decrypt]:780 01ac:trace:crypt:gnutls_log <3> ASSERT: ../../../lib/x509/privkey_pkcs8.c[gnutls_x509_privkey_import_pkcs8]:1752 01ac:trace:crypt:gnutls_log <3> ASSERT: ../../../lib/x509/pkcs12.c[gnutls_pkcs12_simple_parse]:1752 GnuTLS error: Decryption failed. System.Security.Cryptography.CryptographicException: Success. at System.Security.Cryptography.X509Certificates.X509CertificateLoader.ImportPfx(ReadOnlySpan`1 data, ReadOnlySpan`1 password, X509KeyStorageFlags keyStorageFlags) I assume this needs to be reported to the GnuTLS project instead? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
WineHQ Bugzilla