https://bugs.winehq.org/show_bug.cgi?id=34083
Anastasius Focht focht@gmx.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |focht@gmx.net Summary|Symantec Antivirus 10.x |Symantec Antivirus 10.x |installer fails in custom |installer fails in custom |action |action |WriteCcSettingsTables.03FE0 |WriteCcSettingsTables.03FE0 |1CF_295E_4354_A292_7DC4A810 |1CF_295E_4354_A292_7DC4A810 |E0DA |E0DA (CERT with multiple OU | |fields, | |crypt32.CertGetNameStringW | |must return RDNs in reverse | |order) Component|-unknown |crypt32
--- Comment #5 from Anastasius Focht focht@gmx.net --- Hello folks,
confirming. I found SAV 10.0 as distributed "backup" and could reproduce the problem with the installer.
A rare case of snake oil software being useful - to reveal an interesting bug in Wine :-)
To debug custom action in question:
--- snip --- $ MsiBreak="_WriteCcSettingsTables@4" wine msiexec -i "Symantec AntiVirus.msi" --- snip ---
Custom action dll msicde9._WriteCcSettingsTables@4:
--- snip --- 6B744A80 | push ebp | 6B744A81 | mov ebp,esp | 6B744A83 | push FFFFFFFF | 6B744A85 | push msicde9.6B761826 | 6B744A8A | mov eax,dword ptr fs:[0] | 6B744A90 | push eax | ... 6B744C04 | mov dword ptr ss:[ebp-18],edi | 6B744C07 | mov dword ptr ss:[ebp-4C],msicde9.6B763A90 | 6B744C0E | mov dword ptr ss:[ebp-44],edi | 6B744C11 | mov dword ptr ss:[ebp-40],edi | 6B744C14 | mov dword ptr ss:[ebp-3C],edi | 6B744C17 | mov dword ptr ss:[ebp-34],edi | 6B744C1A | mov dword ptr ss:[ebp-30],edi | 6B744C1D | mov dword ptr ss:[ebp-2C],edi | 6B744C20 | mov dword ptr ss:[ebp-38],msicde9.6B7637F8 | 6B744C27 | mov dword ptr ss:[ebp-28],edi | 6B744C2A | mov dword ptr ss:[ebp-48],msicde9.6B763A88 | 6B744C31 | xor eax,eax | 6B744C33 | test bl,bl | 6B744C35 | mov byte ptr ss:[ebp-4],5 | 6B744C39 | je msicde9.6B744C54 | 6B744C3B | lea eax,dword ptr ss:[ebp-18] | 6B744C3E | push eax | 6B744C3F | lea ecx,dword ptr ss:[ebp-4C] | 6B744C42 | call msicde9.6B746D80 | 6B744C47 | test eax,eax | 0x80010303 6B744C49 | js msicde9.6B744C54 | 6B744C4B | cmp dword ptr ss:[ebp-18],edi | 6B744C4E | mov byte ptr ss:[ebp+8],1 | 6B744C52 | jne msicde9.6B744C58 | 6B744C54 | mov byte ptr ss:[ebp+8],0 | 6B744C58 | mov ecx,dword ptr ss:[ebp-18] | 6B744C5B | push ecx | 6B744C5C | push eax | 6B744C5D | mov eax,dword ptr ss:[ebp+8] | 6B744C60 | movzx edx,bl | 6B744C63 | push edx | 6B744C64 | push msicde9.6B763E48 | "Failed to create settings manager. bSettingsMgrActive=%d, symRes=0x%.8x, pTemp=0x%.8x" 6B744C69 | push msicde9.6B763EA0 | "WriteCcSettingsTables: " 6B744C6E | push eax | 6B744C6F | call msicde9.6B7472E0 | --- snip ---
Settings manager -> 'C:\Program Files\Common Files\Symantec Shared\ccSet.dll'
Disassembly of the subroutine revealing the problem. I annotated it with values from the debugging session.
--- snip --- 6B492CD0 | push ebp | 6B492CD1 | mov ebp,esp | 6B492CD3 | and esp,FFFFFFF8 | 6B492CD6 | sub esp,63C | 6B492CDC | mov eax,dword ptr ds:[6B49F0E0] | 6B492CE1 | push ebx | 6B492CE2 | push esi | 6B492CE3 | mov esi,dword ptr ss:[ebp+8] | 6B492CE6 | test esi,esi | 6B492CE8 | mov dword ptr ss:[esp+640],eax | 6B492CEF | push edi | 6B492CF0 | mov ebx,ecx | 6B492CF2 | je ccvrtrst.6B492F73 | 6B492CF8 | mov edx,dword ptr ds:[ebx+28] | _CertGetNameStringA@24 6B492CFB | test edx,edx | 6B492CFD | je ccvrtrst.6B492F73 | 6B492D03 | xor eax,eax | 6B492D05 | push 104 | 6B492D0A | mov ecx,41 | 6B492D0F | lea edi,dword ptr ss:[esp+224] | 6B492D16 | rep stosd | 6B492D18 | lea eax,dword ptr ss:[esp+224] | 6B492D1F | push eax | 6B492D20 | push ccvrtrst.6B49B1D4 | OID "2.5.4.3" 6B492D25 | push 0 | 6B492D27 | push 3 | 6B492D29 | push esi | 6B492D2A | mov dword ptr ss:[esp+24],1 | 6B492D32 | call edx | CertGetNameStringA() 6B492D34 | cmp eax,1 | 0x15 6B492D37 | jbe ccvrtrst.6B492DF4 | "Symantec Corporation" 6B492D3D | xor eax,eax | 6B492D3F | push 104 | 6B492D44 | mov ecx,41 | 6B492D49 | lea edi,dword ptr ss:[esp+14] | 6B492D4D | rep stosd | 6B492D4F | lea ecx,dword ptr ss:[esp+14] | 6B492D53 | push ecx | 6B492D54 | push ccvrtrst.6B49B1C8 | OID "2.5.4.11" 6B492D59 | push eax | 6B492D5A | push 3 | 6B492D5C | push esi | 6B492D5D | call dword ptr ds:[ebx+28] | CertGetNameStringA() 6B492D60 | cmp eax,1 | 0x36 6B492D63 | jbe ccvrtrst.6B492DF4 | "Digital ID Class 3 - Microsoft Software Validation v2" 6B492D69 | push 104 | 6B492D6E | lea edx,dword ptr ss:[esp+11C] | 6B492D75 | push edx | 6B492D76 | push ccvrtrst.6B49B1BC | OID "2.5.4.10" 6B492D7B | xor eax,eax | 6B492D7D | push eax | 6B492D7E | push 3 | 6B492D80 | mov ecx,41 | 6B492D85 | lea edi,dword ptr ss:[esp+12C] | 6B492D8C | push esi | 6B492D8D | rep stosd | 6B492D8F | call dword ptr ds:[ebx+28] | CertGetNameStringA() 6B492D92 | cmp eax,1 | 0x15 6B492D95 | jbe ccvrtrst.6B492DF4 | "Symantec Corporation" 6B492D97 | xor eax,eax | 6B492D99 | push 104 | 6B492D9E | mov ecx,41 | 6B492DA3 | lea edi,dword ptr ss:[esp+434] | 6B492DAA | rep stosd | 6B492DAC | lea eax,dword ptr ss:[esp+434] | 6B492DB3 | push eax | 6B492DB4 | push ccvrtrst.6B49B1B4 | OID "2.5.4.7" 6B492DB9 | push 0 | 6B492DBB | push 3 | 6B492DBD | push esi | 6B492DBE | call dword ptr ds:[ebx+28] | CertGetNameStringA() 6B492DC1 | cmp eax,1 | 0xD 6B492DC4 | jbe ccvrtrst.6B492DF4 | "Santa Monica" 6B492DC6 | xor eax,eax | 6B492DC8 | push 104 | 6B492DCD | mov ecx,41 | 6B492DD2 | lea edi,dword ptr ss:[esp+32C] | 6B492DD9 | rep stosd | 6B492DDB | lea ecx,dword ptr ss:[esp+32C] | 6B492DE2 | push ecx | 6B492DE3 | push ccvrtrst.6B49B1AC | OID "2.5.4.8" 6B492DE8 | push eax | 6B492DE9 | push 3 | 6B492DEB | push esi | 6B492DEC | call dword ptr ds:[ebx+28] | CertGetNameStringA() 6B492DEF | cmp eax,1 | 0x8 6B492DF2 | ja ccvrtrst.6B492E29 | "California" 6B492DF4 | call dword ptr ds:[<&GetLastError>] | 6B492DFA | push eax | 6B492DFB | push ccvrtrst.6B49B160 | "CVerifyCertProperties::VerifySymantec() : CertGetNameString() <= 1, 0x%08X\n" 6B492E00 | call ccvrtrst.6B491040 | 6B492E05 | mov dword ptr ss:[esp+14],3 | 6B492E0D | mov eax,dword ptr ss:[esp+14] | 6B492E11 | add esp,8 | 6B492E14 | mov ecx,dword ptr ss:[esp+644] | 6B492E1B | call ccvrtrst.6B4933EE | 6B492E20 | pop edi | 6B492E21 | pop esi | 6B492E22 | pop ebx | 6B492E23 | mov esp,ebp | 6B492E25 | pop ebp | 6B492E26 | ret 4 | 6B492E29 | push 104 | 6B492E2E | lea edx,dword ptr ss:[esp+53C] | 6B492E35 | push edx | 6B492E36 | xor eax,eax | 6B492E38 | push ccvrtrst.6B49B158 | OID "2.5.4.6" 6B492E3D | mov ecx,41 | 6B492E42 | lea edi,dword ptr ss:[esp+544] | 6B492E49 | rep stosd | 6B492E4B | push eax | 6B492E4C | mov edi,3 | 6B492E51 | push edi | 6B492E52 | push esi | 6B492E53 | call dword ptr ds:[ebx+28] | CertGetNameStringA() 6B492E56 | cmp eax,1 | 0x3 6B492E59 | ja ccvrtrst.6B492E8A | "US" 6B492E5B | call dword ptr ds:[<&GetLastError>] | 6B492E61 | push eax | 6B492E62 | push ccvrtrst.6B49B160 | "CVerifyCertProperties::VerifySymantec() : CertGetNameString() <= 1, 0x%08X\n" 6B492E67 | call ccvrtrst.6B491040 | 6B492E6C | add esp,8 | 6B492E6F | mov dword ptr ss:[esp+C],edi | 6B492E73 | mov eax,edi | 6B492E75 | mov ecx,dword ptr ss:[esp+644] | 6B492E7C | call ccvrtrst.6B4933EE | 6B492E81 | pop edi | 6B492E82 | pop esi | 6B492E83 | pop ebx | 6B492E84 | mov esp,ebp | 6B492E86 | pop ebp | 6B492E87 | ret 4 | 6B492E8A | mov ecx,ccvrtrst.6B49F260 | 6B492E8F | call <JMP.&Ordinal#1036> | CEncryptedString::Decrypt() 6B492E94 | mov esi,dword ptr ds:[<&lstrcmpA>] | 6B492E9A | push eax | "Symantec Corporation" 6B492E9B | lea eax,dword ptr ss:[esp+224] | 6B492EA2 | push eax | "Symantec Corporation" 6B492EA3 | call esi | kernel32.lstrcmpA() 6B492EA5 | test eax,eax | 6B492EA7 | jne ccvrtrst.6B492F56 | 6B492EAD | mov ecx,ccvrtrst.6B49F2A0 | 6B492EB2 | call <JMP.&Ordinal#1036> | CEncryptedString::Decrypt() 6B492EB7 | push eax | "Symantec Research Labs" 6B492EB8 | lea ecx,dword ptr ss:[esp+14] | 6B492EBC | push ecx | "Digital ID Class 3 - Microsoft Software Validation v2" 6B492EBD | call esi | kernel32.lstrcmpA() 6B492EBF | test eax,eax | -1 6B492EC1 | je ccvrtrst.6B492ED9 | 6B492EC3 | mov ecx,ccvrtrst.6B49F2E0 | 6B492EC8 | call <JMP.&Ordinal#1036> | CEncryptedString::Decrypt() 6B492ECD | push eax | "Configuration Management" 6B492ECE | lea edx,dword ptr ss:[esp+14] | 6B492ED2 | push edx | "Digital ID Class 3 - Microsoft Software Validation v2" 6B492ED3 | call esi | kernel32.lstrcmpA() 6B492ED5 | test eax,eax | 0x1 6B492ED7 | jne ccvrtrst.6B492F56 | *problem* ... --- snip ---
Matching part of +crypt trace log for the subroutine:
--- snip --- ... 0654:trace:crypt:CertGetNameStringW (0017A154, 3, 00000000, 6B49B1D4, 00169498, 21) 0654:trace:crypt:CryptDecodeObjectEx (0x00000001, #0007, 001DA4D4, 219, 0x00008000, 00000000, 014DF230, 014DF234) 0654:trace:crypt:CryptDecodeObjectEx returning 1 0654:trace:crypt:CertFindRDNAttr "2.5.4.3" 001D7A40 0654:trace:crypt:CertRDNValueToStrW (5, 001D7BA4, 00169498, 21) 0654:trace:crypt:CertRDNValueToStrW returning 21 (L"Symantec Corporation") 0654:trace:crypt:CertGetNameStringA (0017A154, 3, 00000000, 6B49B1C8, 014DF2B0, 260) 0654:trace:crypt:CertGetNameStringW (0017A154, 3, 00000000, 6B49B1C8, 00000000, 0) 0654:trace:crypt:CryptDecodeObjectEx (0x00000001, #0007, 001DA4D4, 219, 0x00008000, 00000000, 014DF230, 014DF234) 0654:trace:crypt:CryptDecodeObjectEx returning 1 0654:trace:crypt:CertFindRDNAttr "2.5.4.11" 001D7A40 0654:trace:crypt:CertRDNValueToStrW (4, 001D7B1C, 00000000, 0) 0654:trace:crypt:CertRDNValueToStrW returning 54 ((null)) 0654:trace:crypt:CertGetNameStringW (0017A154, 3, 00000000, 6B49B1C8, 00178880, 54) 0654:trace:crypt:CryptDecodeObjectEx (0x00000001, #0007, 001DA4D4, 219, 0x00008000, 00000000, 014DF230, 014DF234) 0654:trace:crypt:CryptDecodeObjectEx returning 1 0654:trace:crypt:CertFindRDNAttr "2.5.4.11" 001D7A40 0654:trace:crypt:CertRDNValueToStrW (4, 001D7B1C, 00178880, 54) 0654:trace:crypt:CertRDNValueToStrW returning 54 (L"Digital ID Class 3 - Microsoft Software Validation v2") 0654:trace:crypt:CertGetNameStringA (0017A154, 3, 00000000, 6B49B1BC, 014DF3B8, 260) 0654:trace:crypt:CertGetNameStringW (0017A154, 3, 00000000, 6B49B1BC, 00000000, 0) 0654:trace:crypt:CryptDecodeObjectEx (0x00000001, #0007, 001DA4D4, 219, 0x00008000, 00000000, 014DF230, 014DF234) 0654:trace:crypt:CryptDecodeObjectEx returning 1 0654:trace:crypt:CertFindRDNAttr "2.5.4.10" 001D7A40 0654:trace:crypt:CertRDNValueToStrW (5, 001D7AEC, 00000000, 0) 0654:trace:crypt:CertRDNValueToStrW returning 21 ((null)) 0654:trace:crypt:CertGetNameStringW (0017A154, 3, 00000000, 6B49B1BC, 00169498, 21) 0654:trace:crypt:CryptDecodeObjectEx (0x00000001, #0007, 001DA4D4, 219, 0x00008000, 00000000, 014DF230, 014DF234) 0654:trace:crypt:CryptDecodeObjectEx returning 1 0654:trace:crypt:CertFindRDNAttr "2.5.4.10" 001D7A40 0654:trace:crypt:CertRDNValueToStrW (5, 001D7AEC, 00169498, 21) 0654:trace:crypt:CertRDNValueToStrW returning 21 (L"Symantec Corporation") 0654:trace:crypt:CertGetNameStringA (0017A154, 3, 00000000, 6B49B1B4, 014DF6D0, 260) 0654:trace:crypt:CertGetNameStringW (0017A154, 3, 00000000, 6B49B1B4, 00000000, 0) 0654:trace:crypt:CryptDecodeObjectEx (0x00000001, #0007, 001DA4D4, 219, 0x00008000, 00000000, 014DF230, 014DF234) 0654:trace:crypt:CryptDecodeObjectEx returning 1 0654:trace:crypt:CertFindRDNAttr "2.5.4.7" 001D7A40 0654:trace:crypt:CertRDNValueToStrW (4, 001D7AC8, 00000000, 0) 0654:trace:crypt:CertRDNValueToStrW returning 13 ((null)) 0654:trace:crypt:CertGetNameStringW (0017A154, 3, 00000000, 6B49B1B4, 0017AAC8, 13) 0654:trace:crypt:CryptDecodeObjectEx (0x00000001, #0007, 001DA4D4, 219, 0x00008000, 00000000, 014DF230, 014DF234) 0654:trace:crypt:CryptDecodeObjectEx returning 1 0654:trace:crypt:CertFindRDNAttr "2.5.4.7" 001D7A40 0654:trace:crypt:CertRDNValueToStrW (4, 001D7AC8, 0017AAC8, 13) 0654:trace:crypt:CertRDNValueToStrW returning 13 (L"Santa Monica") 0654:trace:crypt:CertGetNameStringA (0017A154, 3, 00000000, 6B49B1AC, 014DF5C8, 260) 0654:trace:crypt:CertGetNameStringW (0017A154, 3, 00000000, 6B49B1AC, 00000000, 0) 0654:trace:crypt:CryptDecodeObjectEx (0x00000001, #0007, 001DA4D4, 219, 0x00008000, 00000000, 014DF230, 014DF234) 0654:trace:crypt:CryptDecodeObjectEx returning 1 0654:trace:crypt:CertFindRDNAttr "2.5.4.8" 001D7A40 0654:trace:crypt:CertRDNValueToStrW (4, 001D7AA4, 00000000, 0) 0654:trace:crypt:CertRDNValueToStrW returning 11 ((null)) 0654:trace:crypt:CertGetNameStringW (0017A154, 3, 00000000, 6B49B1AC, 0017E558, 11) 0654:trace:crypt:CryptDecodeObjectEx (0x00000001, #0007, 001DA4D4, 219, 0x00008000, 00000000, 014DF230, 014DF234) 0654:trace:crypt:CryptDecodeObjectEx returning 1 0654:trace:crypt:CertFindRDNAttr "2.5.4.8" 001D7A40 0654:trace:crypt:CertRDNValueToStrW (4, 001D7AA4, 0017E558, 11) 0654:trace:crypt:CertRDNValueToStrW returning 11 (L"California") 0654:trace:crypt:CertGetNameStringA (0017A154, 3, 00000000, 6B49B158, 014DF7D8, 260) 0654:trace:crypt:CertGetNameStringW (0017A154, 3, 00000000, 6B49B158, 00000000, 0) 0654:trace:crypt:CryptDecodeObjectEx (0x00000001, #0007, 001DA4D4, 219, 0x00008000, 00000000, 014DF230, 014DF234) 0654:trace:crypt:CryptDecodeObjectEx returning 1 0654:trace:crypt:CertFindRDNAttr "2.5.4.6" 001D7A40 0654:trace:crypt:CertRDNValueToStrW (4, 001D7A88, 00000000, 0) 0654:trace:crypt:CertRDNValueToStrW returning 3 ((null)) 0654:trace:crypt:CertGetNameStringW (0017A154, 3, 00000000, 6B49B158, 0017E558, 3) 0654:trace:crypt:CryptDecodeObjectEx (0x00000001, #0007, 001DA4D4, 219, 0x00008000, 00000000, 014DF230, 014DF234) 0654:trace:crypt:CryptDecodeObjectEx returning 1 0654:trace:crypt:CertFindRDNAttr "2.5.4.6" 001D7A40 0654:trace:crypt:CertRDNValueToStrW (4, 001D7A88, 0017E558, 3) 0654:trace:crypt:CertRDNValueToStrW returning 3 (L"US") 0654:trace:crypt:CertFreeCertificateContext (0017A154) --- snip ---
I've extracted the embedded CERT which is present in all .dll and .exe files:
-----BEGIN CERTIFICATE----- MIIFFjCCA/6gAwIBAgIQS9pDjmknyUakmt0+asna0jANBgkqhkiG9w0BAQUFADCB tDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNDEuMCwGA1UEAxMl VmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAwNCBDQTAeFw0wNDExMDkw MDAwMDBaFw0wNTExMjEyMzU5NTlaMIHYMQswCQYDVQQGEwJVUzETMBEGA1UECBMK Q2FsaWZvcm5pYTEVMBMGA1UEBxMMU2FudGEgTW9uaWNhMR0wGwYDVQQKFBRTeW1h bnRlYyBDb3Jwb3JhdGlvbjE+MDwGA1UECxM1RGlnaXRhbCBJRCBDbGFzcyAzIC0g TWljcm9zb2Z0IFNvZnR3YXJlIFZhbGlkYXRpb24gdjIxHzAdBgNVBAsUFlN5bWFu dGVjIFJlc2VhcmNoIExhYnMxHTAbBgNVBAMUFFN5bWFudGVjIENvcnBvcmF0aW9u MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWbIVYBlQXQQH3mQdDYZeZ5Lef iVfRvfCveblkX++7njStdqpR/hM4jfT5HrVeT7pNMaOVGEXRnw2AHHzZm3R6Cj30 J8ZFwxxPPtxAYZyoy+/K6rblyzhZ0Eoyouyo+izDXr1TLUlms9ys8Z92i2D5KYjq 0vPAmXj8qF42x8NzpQIDAQABo4IBgDCCAXwwCQYDVR0TBAIwADAOBgNVHQ8BAf8E BAMCB4AwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL0NTQzMtMjAwNC1jcmwudmVy aXNpZ24uY29tL0NTQzMtMjAwNC5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcX AzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMBMG A1UdJQQMMAoGCCsGAQUFBwMDMHYGCCsGAQUFBwEBBGowaDAlBggrBgEFBQcwAYYZ aHR0cHM6Ly9vY3NwLnZlcmlzaWduLmNvbTA/BggrBgEFBQcwAoYzaHR0cDovL0NT QzMtMjAwNC1haWEudmVyaXNpZ24uY29tL0NTQzMtMjAwNC1haWEuY2VyMB8GA1Ud IwQYMBaAFAj1Uej7/j09ZDZ8aM9beKjfucU3MBEGCWCGSAGG+EIBAQQEAwIEEDAW BgorBgEEAYI3AgEbBAgwBgEBAAEB/zANBgkqhkiG9w0BAQUFAAOCAQEAWkodMOE+ xlhK6/rlmAh/uvlAVGZuAjCMH6LrXNAHuiBbVfuwDhMexkgZDPQOoJjL6h7W5Lwo bD9/yLThjRXYks4v6F19P4kn0BoEsFWLFKwmXXINnjJfrRHUwFBAiV1LlKrkUvTy 52t211TmtqKO8/pHALo9/LM3yCoGFvsKO2dR/z1rPKST7rhSYbQWFCUsvMYhKFXW bY4k4CTIDsXBlBmKwAKTdmbxzSrNIXWvfkAYoFh0J0MFdCstgYVd91/9FgWuEmW1 AMnnutGbNgGN2G8sKiWNA+JqtXnyNzZiOuehMrao7uDuzxYY9LltJnvpy3SOk5qh yP6GTHkewsBXUg== -----END CERTIFICATE-----
Decoded:
--- snip --- Certificate: Data: Version: 3 (0x2) Serial Number: 4b:da:43:8e:69:27:c9:46:a4:9a:dd:3e:6a:c9:da:d2 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)04, CN=VeriSign Class 3 Code Signing 2004 CA Validity Not Before: Nov 9 00:00:00 2004 GMT Not After : Nov 21 23:59:59 2005 GMT Subject: C=US, ST=California, L=Santa Monica, O=Symantec Corporation, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=Symantec Research Labs, CN=Symantec Corporation Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (1024 bit) Modulus: 00:d6:6c:85:58:06:54:17:41:01:f7:99:07:43:61: 97:99:e4:b7:9f:89:57:d1:bd:f0:af:79:b9:64:5f: ef:bb:9e:34:ad:76:aa:51:fe:13:38:8d:f4:f9:1e: b5:5e:4f:ba:4d:31:a3:95:18:45:d1:9f:0d:80:1c: 7c:d9:9b:74:7a:0a:3d:f4:27:c6:45:c3:1c:4f:3e: dc:40:61:9c:a8:cb:ef:ca:ea:b6:e5:cb:38:59:d0: 4a:32:a2:ec:a8:fa:2c:c3:5e:bd:53:2d:49:66:b3: dc:ac:f1:9f:76:8b:60:f9:29:88:ea:d2:f3:c0:99: 78:fc:a8:5e:36:c7:c3:73:a5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: critical Digital Signature X509v3 CRL Distribution Points:
Full Name: URI:http://CSC3-2004-crl.verisign.com/CSC3-2004.crl
X509v3 Certificate Policies: Policy: 2.16.840.1.113733.1.7.23.3 CPS: https://www.verisign.com/rpa
X509v3 Extended Key Usage: Code Signing Authority Information Access: OCSP - URI:https://ocsp.verisign.com CA Issuers - URI:http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer
X509v3 Authority Key Identifier:
keyid:08:F5:51:E8:FB:FE:3D:3D:64:36:7C:68:CF:5B:78:A8:DF:B9:C5:37
Netscape Cert Type: Object Signing 1.3.6.1.4.1.311.2.1.27: 0....... Signature Algorithm: sha1WithRSAEncryption 5a:4a:1d:30:e1:3e:c6:58:4a:eb:fa:e5:98:08:7f:ba:f9:40: 54:66:6e:02:30:8c:1f:a2:eb:5c:d0:07:ba:20:5b:55:fb:b0: 0e:13:1e:c6:48:19:0c:f4:0e:a0:98:cb:ea:1e:d6:e4:bc:28: 6c:3f:7f:c8:b4:e1:8d:15:d8:92:ce:2f:e8:5d:7d:3f:89:27: d0:1a:04:b0:55:8b:14:ac:26:5d:72:0d:9e:32:5f:ad:11:d4: c0:50:40:89:5d:4b:94:aa:e4:52:f4:f2:e7:6b:76:d7:54:e6: b6:a2:8e:f3:fa:47:00:ba:3d:fc:b3:37:c8:2a:06:16:fb:0a: 3b:67:51:ff:3d:6b:3c:a4:93:ee:b8:52:61:b4:16:14:25:2c: bc:c6:21:28:55:d6:6d:8e:24:e0:24:c8:0e:c5:c1:94:19:8a: c0:02:93:76:66:f1:cd:2a:cd:21:75:af:7e:40:18:a0:58:74: 27:43:05:74:2b:2d:81:85:5d:f7:5f:fd:16:05:ae:12:65:b5: 00:c9:e7:ba:d1:9b:36:01:8d:d8:6f:2c:2a:25:8d:03:e2:6a: b5:79:f2:37:36:62:3a:e7:a1:32:b6:a8:ee:e0:ee:cf:16:18: f4:b9:6d:26:7b:e9:cb:74:8e:93:9a:a1:c8:fe:86:4c:79:1e: c2:c0:57:52
(Decoded using the following version of OpenSSL: OpenSSL 1.1.1b 26 Feb 2019) --- snip ---
Certificate ASN.1 Information
--- snip --- 0 1302: SEQUENCE { 4 1022: SEQUENCE { 8 3: [0] { 10 1: INTEGER 2 : } 13 16: INTEGER 4B DA 43 8E 69 27 C9 46 A4 9A DD 3E 6A C9 DA D2 31 13: SEQUENCE { 33 9: OBJECT IDENTIFIER sha1WithRSAEncryption (1 2 840 113549 1 1 5) 44 0: NULL : } 46 180: SEQUENCE { 49 11: SET { 51 9: SEQUENCE { 53 3: OBJECT IDENTIFIER countryName (2 5 4 6) 58 2: PrintableString 'US' : } : } 62 23: SET { 64 21: SEQUENCE { 66 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 71 14: PrintableString 'VeriSign, Inc.' : } : } 87 31: SET { 89 29: SEQUENCE { 91 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 96 22: PrintableString 'VeriSign Trust Network' : } : } 120 59: SET { 122 57: SEQUENCE { 124 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 129 50: PrintableString : 'Terms of use at https://www.verisign.com/rpa (c)' : '04' : } : } 181 46: SET { 183 44: SEQUENCE { 185 3: OBJECT IDENTIFIER commonName (2 5 4 3) 190 37: PrintableString 'VeriSign Class 3 Code Signing 2004 CA' : } : } : } 229 30: SEQUENCE { 231 13: UTCTime 09/11/2004 00:00:00 GMT 246 13: UTCTime 21/11/2005 23:59:59 GMT : } 261 216: SEQUENCE { 264 11: SET { 266 9: SEQUENCE { 268 3: OBJECT IDENTIFIER countryName (2 5 4 6) 273 2: PrintableString 'US' : } : } 277 19: SET { 279 17: SEQUENCE { 281 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8) 286 10: PrintableString 'California' : } : } 298 21: SET { 300 19: SEQUENCE { 302 3: OBJECT IDENTIFIER localityName (2 5 4 7) 307 12: PrintableString 'Santa Monica' : } : } 321 29: SET { 323 27: SEQUENCE { 325 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 330 20: TeletexString 'Symantec Corporation' : } : } 352 62: SET { 354 60: SEQUENCE { 356 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 361 53: PrintableString : 'Digital ID Class 3 - Microsoft Software Validati' : 'on v2' : } : } 416 31: SET { 418 29: SEQUENCE { 420 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 425 22: TeletexString 'Symantec Research Labs' : } : } 449 29: SET { 451 27: SEQUENCE { 453 3: OBJECT IDENTIFIER commonName (2 5 4 3) 458 20: TeletexString 'Symantec Corporation' : } : } : } 480 159: SEQUENCE { 483 13: SEQUENCE { 485 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) 496 0: NULL : } 498 141: BIT STRING : 30 81 89 02 81 81 00 D6 6C 85 58 06 54 17 41 01 : F7 99 07 43 61 97 99 E4 B7 9F 89 57 D1 BD F0 AF : 79 B9 64 5F EF BB 9E 34 AD 76 AA 51 FE 13 38 8D : F4 F9 1E B5 5E 4F BA 4D 31 A3 95 18 45 D1 9F 0D : 80 1C 7C D9 9B 74 7A 0A 3D F4 27 C6 45 C3 1C 4F : 3E DC 40 61 9C A8 CB EF CA EA B6 E5 CB 38 59 D0 : 4A 32 A2 EC A8 FA 2C C3 5E BD 53 2D 49 66 B3 DC : AC F1 9F 76 8B 60 F9 29 88 EA D2 F3 C0 99 78 FC : A8 5E 36 C7 C3 73 A5 02 03 01 00 01 : } 642 384: [3] { 646 380: SEQUENCE { 650 9: SEQUENCE { 652 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 657 2: OCTET STRING 30 00 : } 661 14: SEQUENCE { 663 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 668 1: BOOLEAN TRUE 671 4: OCTET STRING 03 02 07 80 : } 677 64: SEQUENCE { 679 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31) 684 57: OCTET STRING : 30 37 30 35 A0 33 A0 31 86 2F 68 74 74 70 3A 2F : 2F 43 53 43 33 2D 32 30 30 34 2D 63 72 6C 2E 76 : 65 72 69 73 69 67 6E 2E 63 6F 6D 2F 43 53 43 33 : 2D 32 30 30 34 2E 63 72 6C : } 743 68: SEQUENCE { 745 3: OBJECT IDENTIFIER certificatePolicies (2 5 29 32) 750 61: OCTET STRING : 30 3B 30 39 06 0B 60 86 48 01 86 F8 45 01 07 17 : 03 30 2A 30 28 06 08 2B 06 01 05 05 07 02 01 16 : 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 72 : 69 73 69 67 6E 2E 63 6F 6D 2F 72 70 61 : } 813 19: SEQUENCE { 815 3: OBJECT IDENTIFIER extKeyUsage (2 5 29 37) 820 12: OCTET STRING 30 0A 06 08 2B 06 01 05 05 07 03 03 : } 834 118: SEQUENCE { 836 8: OBJECT IDENTIFIER authorityInfoAccess (1 3 6 1 5 5 7 1 1) 846 106: OCTET STRING : 30 68 30 25 06 08 2B 06 01 05 05 07 30 01 86 19 : 68 74 74 70 73 3A 2F 2F 6F 63 73 70 2E 76 65 72 : 69 73 69 67 6E 2E 63 6F 6D 30 3F 06 08 2B 06 01 : 05 05 07 30 02 86 33 68 74 74 70 3A 2F 2F 43 53 : 43 33 2D 32 30 30 34 2D 61 69 61 2E 76 65 72 69 : 73 69 67 6E 2E 63 6F 6D 2F 43 53 43 33 2D 32 30 : 30 34 2D 61 69 61 2E 63 65 72 : } 954 31: SEQUENCE { 956 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 961 24: OCTET STRING : 30 16 80 14 08 F5 51 E8 FB FE 3D 3D 64 36 7C 68 : CF 5B 78 A8 DF B9 C5 37 : } 987 17: SEQUENCE { 989 9: OBJECT IDENTIFIER : netscape-cert-type (2 16 840 1 113730 1 1) 1000 4: OCTET STRING 03 02 04 10 : } 1006 22: SEQUENCE { 1008 10: OBJECT IDENTIFIER : spcFinancialCriteriaInfo (1 3 6 1 4 1 311 2 1 27) 1020 8: OCTET STRING 30 06 01 01 00 01 01 FF : } : } : } : } 1030 13: SEQUENCE { 1032 9: OBJECT IDENTIFIER sha1WithRSAEncryption (1 2 840 113549 1 1 5) 1043 0: NULL : } 1045 257: BIT STRING : 5A 4A 1D 30 E1 3E C6 58 4A EB FA E5 98 08 7F BA : F9 40 54 66 6E 02 30 8C 1F A2 EB 5C D0 07 BA 20 : 5B 55 FB B0 0E 13 1E C6 48 19 0C F4 0E A0 98 CB : EA 1E D6 E4 BC 28 6C 3F 7F C8 B4 E1 8D 15 D8 92 : CE 2F E8 5D 7D 3F 89 27 D0 1A 04 B0 55 8B 14 AC : 26 5D 72 0D 9E 32 5F AD 11 D4 C0 50 40 89 5D 4B : 94 AA E4 52 F4 F2 E7 6B 76 D7 54 E6 B6 A2 8E F3 : FA 47 00 BA 3D FC B3 37 C8 2A 06 16 FB 0A 3B 67 : [ Another 128 bytes skipped ] : } --- snip ---
The installer custom action dll retrieves various subjects from the embedded certificate using 'CertGetNameString' and compares them against hard-coded values. The hard-coded values get decrypted to cleartext at runtime.
The certificate contains multiple values for OID 2.5.4.11 -> organizational unit name (OU):
* 'Digital ID Class 3 - Microsoft Software Validation v2' * 'Symantec Research Labs'
The installer compares the string 'Digital ID Class 3 - Microsoft Software Validation v2' returned by Wine crypt32 against two hard-coded values:
* 'Symantec Research Labs' * 'Configuration Management' (backup?)
None of these match because Wine always returns the first RDN attribute. This lets the custom action and subsequently the installer fail.
Wine source:
https://source.winehq.org/git/wine.git/blob/be4592824208f82e9cd9c096a879b1d3...
--- snip --- 1195 static DWORD cert_get_name_from_rdn_attr(DWORD encodingType, 1196 const CERT_NAME_BLOB *name, LPCSTR oid, LPWSTR pszNameString, DWORD cchNameString) 1197 { 1198 CERT_NAME_INFO *nameInfo; 1199 DWORD bytes = 0, ret = 0; 1200 1201 if (CryptDecodeObjectEx(encodingType, X509_NAME, name->pbData, 1202 name->cbData, CRYPT_DECODE_ALLOC_FLAG, NULL, &nameInfo, &bytes)) 1203 { 1204 PCERT_RDN_ATTR nameAttr; 1205 1206 if (!oid) 1207 oid = szOID_RSA_emailAddr; 1208 nameAttr = CertFindRDNAttr(oid, nameInfo); 1209 if (nameAttr) 1210 ret = CertRDNValueToStrW(nameAttr->dwValueType, &nameAttr->Value, 1211 pszNameString, cchNameString); 1212 LocalFree(nameInfo); 1213 } 1214 return ret; 1215 } 1216 1217 DWORD WINAPI CertGetNameStringW(PCCERT_CONTEXT pCertContext, DWORD dwType, 1218 DWORD dwFlags, void *pvTypePara, LPWSTR pszNameString, DWORD cchNameString) 1219 { 1220 DWORD ret = 0; 1221 PCERT_NAME_BLOB name; 1222 LPCSTR altNameOID; 1223 1224 TRACE("(%p, %d, %08x, %p, %p, %d)\n", pCertContext, dwType, 1225 dwFlags, pvTypePara, pszNameString, cchNameString); 1226 1227 if (!pCertContext) 1228 goto done; 1229 1230 if (dwFlags & CERT_NAME_ISSUER_FLAG) 1231 { 1232 name = &pCertContext->pCertInfo->Issuer; 1233 altNameOID = szOID_ISSUER_ALT_NAME; 1234 } 1235 else 1236 { 1237 name = &pCertContext->pCertInfo->Subject; 1238 altNameOID = szOID_SUBJECT_ALT_NAME; 1239 } 1240 1241 switch (dwType) 1242 { ... 1289 case CERT_NAME_ATTR_TYPE: 1290 ret = cert_get_name_from_rdn_attr(pCertContext->dwCertEncodingType, 1291 name, pvTypePara, pszNameString, cchNameString); 1292 if (!ret) 1293 { 1294 CERT_ALT_NAME_INFO *altInfo; 1295 PCERT_ALT_NAME_ENTRY entry = cert_find_alt_name_entry(pCertContext, 1296 altNameOID, CERT_ALT_NAME_DIRECTORY_NAME, &altInfo); 1297 1298 if (entry) 1299 ret = cert_name_to_str_with_indent(X509_ASN_ENCODING, 0, 1300 &entry->u.DirectoryName, 0, pszNameString, cchNameString); 1301 if (altInfo) 1302 LocalFree(altInfo); 1303 } 1304 break; ... --- snip ---
I've implemented a reverse CertFindRDNAttr() and made the helper use it. It helped the installer to successfully validate the CERT and finish to whole installation process.
The case of multiple OU values in certs doesn't seem to be that rare.
https://stackoverflow.com/questions/9496239/extracting-all-values-of-a-subje...
--- quote --- However some certificates I've found have multiple values for the organizational unit name (OU) and CertGetNameString can only read the first. For instance this is the subject of an Adobe certificate:
CN = Adobe Systems, Incorporated OU = Acrobat Engineering OU = Digital ID Class 3 - Microsoft Software Validation v2 O = Adobe Systems, Incorporated L = San Jose S = California C = US
How can I read all values for the OU (and other) attribute(s) using CryptoAPI? --- quote ---
He doesn't talk about the order here, i.e. which "first" is returned. The first-first or the first-last ;-)
I'm sure there are a couple of other apps suffering from the same issue.
$ wine --version wine-6.0-rc1-39-g76c9dbd4fb9
Regards