[PATCH 1/1] crypt32: Sync backing store when contexts are added or removed.

22 Jan 2026

From: Hans Leidekker <hans@codeweavers.com>

---
 dlls/crypt32/cert.c        |  2 ++
 dlls/crypt32/ctl.c         | 11 +++++++++--
 dlls/crypt32/store.c       | 17 ++++++++++++++---
 dlls/crypt32/tests/store.c | 24 +++++++++++++++++-------
 4 files changed, 42 insertions(+), 12 deletions(-)

diff --git a/dlls/crypt32/cert.c b/dlls/crypt32/cert.c
index 7f8f4965d02..076a1ebfe87 100644
--- a/dlls/crypt32/cert.c
+++ b/dlls/crypt32/cert.c
@@ -277,6 +277,8 @@ static BOOL add_cert_to_store(WINECRYPT_CERTSTORE *store, const CERT_CONTEXT *ce
         return FALSE;
     }
 
+    CertControlStore(store, CERT_STORE_CTRL_COMMIT_FORCE_FLAG, CERT_STORE_CTRL_COMMIT, NULL);
+
     if(inherit_props)
         Context_CopyProperties(context_ptr(new_context), existing);
 
diff --git a/dlls/crypt32/ctl.c b/dlls/crypt32/ctl.c
index 201a802ceea..311035cf7de 100644
--- a/dlls/crypt32/ctl.c
+++ b/dlls/crypt32/ctl.c
@@ -161,8 +161,12 @@ BOOL WINAPI CertAddCTLContextToStore(HCERTSTORE hCertStore,
 
             ret = store->vtbl->ctls.addContext(store, context_from_ptr(toAdd),
              existing ? context_from_ptr(existing) : NULL, ppStoreContext ? &ret_ctx : NULL, TRUE);
-            if(ret && ppStoreContext)
-                *ppStoreContext = context_ptr(ret_ctx);
+            if (ret)
+            {
+                CertControlStore(store, CERT_STORE_CTRL_COMMIT_FORCE_FLAG, CERT_STORE_CTRL_COMMIT, NULL);
+                if (ppStoreContext)
+                    *ppStoreContext = context_ptr(ret_ctx);
+            }
         }else if (ppStoreContext) {
             *ppStoreContext = CertDuplicateCTLContext(toAdd);
         }
@@ -356,7 +360,10 @@ BOOL WINAPI CertDeleteCTLFromStore(PCCTL_CONTEXT pCtlContext)
 
     ret = hcs->vtbl->ctls.delete(hcs, &ctl->base);
     if (ret)
+    {
+        CertControlStore(hcs, CERT_STORE_CTRL_COMMIT_FORCE_FLAG, CERT_STORE_CTRL_COMMIT, NULL);
         ret = CertFreeCTLContext(pCtlContext);
+    }
     return ret;
 }
 
diff --git a/dlls/crypt32/store.c b/dlls/crypt32/store.c
index 0a96a337eab..54b16ab8fa1 100644
--- a/dlls/crypt32/store.c
+++ b/dlls/crypt32/store.c
@@ -981,6 +981,8 @@ PCCERT_CONTEXT WINAPI CertEnumCertificatesInStore(HCERTSTORE hCertStore, PCCERT_
 BOOL CRYPT_DeleteCertificateFromStore(PCCERT_CONTEXT pCertContext)
 {
     WINECRYPT_CERTSTORE *hcs;
+    BOOL ret;
+
     TRACE("(%p)\n", pCertContext);
 
     if (!pCertContext)
@@ -991,7 +993,9 @@ BOOL CRYPT_DeleteCertificateFromStore(PCCERT_CONTEXT pCertContext)
     if (hcs->dwMagic != WINE_CRYPTCERTSTORE_MAGIC)
         return FALSE;
 
-    return hcs->vtbl->certs.delete(hcs, &cert_from_ptr(pCertContext)->base);
+    ret = hcs->vtbl->certs.delete(hcs, &cert_from_ptr(pCertContext)->base);
+    if (ret) CertControlStore(hcs, CERT_STORE_CTRL_COMMIT_FORCE_FLAG, CERT_STORE_CTRL_COMMIT, NULL);
+    return ret;
 }
 
 BOOL WINAPI CertDeleteCertificateFromStore(PCCERT_CONTEXT pCertContext)
@@ -1111,8 +1115,12 @@ BOOL WINAPI CertAddCRLContextToStore(HCERTSTORE hCertStore,
             context_t *ret_context;
             ret = store->vtbl->crls.addContext(store, context_from_ptr(toAdd),
              existing ? context_from_ptr(existing) : NULL, ppStoreContext ? &ret_context : NULL, FALSE);
-            if (ret && ppStoreContext)
-                *ppStoreContext = context_ptr(ret_context);
+            if (ret)
+            {
+                CertControlStore(store, CERT_STORE_CTRL_COMMIT_FORCE_FLAG, CERT_STORE_CTRL_COMMIT, NULL);
+                if (ppStoreContext)
+                    *ppStoreContext = context_ptr(ret_context);
+            }
         }else if (ppStoreContext) {
             *ppStoreContext = CertDuplicateCRLContext(toAdd);
         }
@@ -1142,7 +1150,10 @@ BOOL WINAPI CertDeleteCRLFromStore(PCCRL_CONTEXT pCrlContext)
 
     ret = hcs->vtbl->crls.delete(hcs, &crl_from_ptr(pCrlContext)->base);
     if (ret)
+    {
+        CertControlStore(hcs, CERT_STORE_CTRL_COMMIT_FORCE_FLAG, CERT_STORE_CTRL_COMMIT, NULL);
         ret = CertFreeCRLContext(pCrlContext);
+    }
     return ret;
 }
 
diff --git a/dlls/crypt32/tests/store.c b/dlls/crypt32/tests/store.c
index 09abf3d34aa..7b7266db0b2 100644
--- a/dlls/crypt32/tests/store.c
+++ b/dlls/crypt32/tests/store.c
@@ -441,8 +441,8 @@ static const struct
  */
 static void testRegStoreSavedCerts(void)
 {
-    PCCERT_CONTEXT cert1, cert2;
-    HCERTSTORE store;
+    PCCERT_CONTEXT cert1, cert2, cert3;
+    HCERTSTORE store, store2;
     HANDLE cert_file;
     HRESULT pathres;
     WCHAR key_name[MAX_PATH], appdata_path[MAX_PATH];
@@ -523,6 +523,18 @@ static void testRegStoreSavedCerts(void)
         ret = CertDeleteCertificateFromStore(cert2);
         ok (ret, "Failed to delete certificate from store at %ld, %lx\n", i, GetLastError());
 
+        /* check that cert is removed from backing store before closing store */
+        store2 = CertOpenStore(CERT_STORE_PROV_SYSTEM_REGISTRY_W,0,0,
+            reg_store_saved_certs[i].cert_store, reg_store_saved_certs[i].store_name);
+        ok (store2 != NULL, "Failed to open the store at %ld, %lx\n", i, GetLastError());
+
+        cert3 = CertFindCertificateInStore(store2, X509_ASN_ENCODING, 0,
+            CERT_FIND_EXISTING, cert1, NULL);
+        ok (cert3 == NULL, "Failed to find cert in the store at %ld, %lx\n", i, GetLastError());
+
+        ret = CertCloseStore(store2, CERT_CLOSE_STORE_CHECK_FLAG);
+        ok(ret, "got error %#lx.\n", GetLastError());
+
         CertFreeCertificateContext(cert1);
         ret = CertCloseStore(store, CERT_CLOSE_STORE_CHECK_FLAG);
         ok(ret, "got error %#lx.\n", GetLastError());
@@ -576,7 +588,7 @@ static void testStoresInCollection(void)
     ret = CertAddStoreToCollection(collection, rw_store, CERT_PHYSICAL_STORE_ADD_ENABLE_FLAG, 0);
     ok (ret, "Failed to add rw store to collection %lx\n", GetLastError());
     /** Adding certificate to collection should fall into rw store,
-     *  even though prioirty of the ro_store is higher */
+     *  even though priority of the ro_store is higher */
     ret = CertAddCertificateContextToStore(collection, cert1, CERT_STORE_ADD_REPLACE_EXISTING, NULL);
     ok (ret, "Failed to add cert to the collection %lx\n", GetLastError());
 
@@ -634,8 +646,7 @@ static void testStoresInCollection(void)
         CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_OPEN_EXISTING_FLAG, L"WineTest_RW");
     ok (tstore!=NULL, "Failed to open existing rw store\n");
     tcert1 = CertEnumCertificatesInStore(tstore, NULL);
-    todo_wine
-        ok(tcert1 && tcert1->cbCertEncoded == cert1->cbCertEncoded, "cert1 wasn't saved\n");
+    ok(tcert1 && tcert1->cbCertEncoded == cert1->cbCertEncoded, "cert1 wasn't saved\n");
     CertFreeCertificateContext(tcert1);
     CertCloseStore(tstore,0);
 
@@ -643,8 +654,7 @@ static void testStoresInCollection(void)
         CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_OPEN_EXISTING_FLAG, L"WineTest_RW2");
     ok (tstore!=NULL, "Failed to open existing rw2 store\n");
     tcert1 = CertEnumCertificatesInStore(tstore, NULL);
-    todo_wine
-        ok (tcert1 && tcert1->cbCertEncoded == cert2->cbCertEncoded, "cert2 wasn't saved\n");
+    ok (tcert1 && tcert1->cbCertEncoded == cert2->cbCertEncoded, "cert2 wasn't saved\n");
     CertFreeCertificateContext(tcert1);
     CertCloseStore(tstore,0);
 
-- 
GitLab

https://gitlab.winehq.org/wine/wine/-/merge_requests/9949

    