http://bugs.winehq.org/show_bug.cgi?id=15704
Summary: crypt32: chain.ok test fails in OpenSolaris Product: Wine Version: 1.1.6 Platform: PC OS/Version: Solaris Status: NEW Keywords: source, testcase Severity: minor Priority: P2 Component: crypt32 AssignedTo: wine-bugs@winehq.org ReportedBy: austinenglish@gmail.com
Created an attachment (id=16783) --> (http://bugs.winehq.org/attachment.cgi?id=16783) +crypt in git
make[2]: Entering directory `/export/home/austin/wine-git/dlls/crypt32/tests' ../../../tools/runtest -q -P wine -M crypt32.dll -T ../../.. -p crypt32_test.exe.so base64.c && touch base64.ok ../../../tools/runtest -q -P wine -M crypt32.dll -T ../../.. -p crypt32_test.exe.so cert.c && touch cert.ok fixme:crypt:CryptVerifyCertificateSignatureEx unimplemented for NULL signer fixme:crypt:CertGetPublicKeyLength unimplemented for DH public keys ../../../tools/runtest -q -P wine -M crypt32.dll -T ../../.. -p crypt32_test.exe.so chain.c && touch chain.ok fixme:crypt:CertVerifyCertificateChainPolicy unimplemented for 0 chain.c:1243: Test failed: Chain 15: expected error 00000000, got 00000020 chain.c:1177: Test failed: Chain 15, element [0,2]: expected error 00000000, got 00000020 make[2]: *** [chain.ok] Error 2
+crypt attached (bzip2 -9'ed)
http://bugs.winehq.org/show_bug.cgi?id=15704
Juan Lang juan_lang@yahoo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |juan_lang@yahoo.com
--- Comment #1 from Juan Lang juan_lang@yahoo.com 2008-10-23 09:55:49 --- Any idea where the root certificates are installed in OpenSolaris?
http://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #2 from Austin English austinenglish@gmail.com 2008-10-23 14:14:32 --- (In reply to comment #1)
Any idea where the root certificates are installed in OpenSolaris?
I believe it's /etc/sfw/openssl/certs, but that directory is empty. grepping / for *.pem comes up empty. I posted a question on the OpenSolaris forums, so I'll see if I can find anything out there.
http://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #3 from Austin English austinenglish@gmail.com 2008-10-23 14:15:37 --- grepping for certs got me this:
bash-3.2$ ls /etc/certs/ SUNWObjectCA SUNWSolarisCA SUNW_SunOS_5.10
bash-3.2$ ls /etc/crypto/certs/ CA SUNWObjectCA SUNW_SunOS_5.10 SUNW_SunOS_5.11_Limited
http://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #4 from Austin English austinenglish@gmail.com 2008-10-23 19:41:34 --- Would copies of the certs help?
http://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #5 from Juan Lang juan_lang@yahoo.com 2008-10-24 09:42:55 --- (In reply to comment #4)
Would copies of the certs help?
Yes, in fact.
http://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #6 from Austin English austinenglish@gmail.com 2008-10-24 14:48:40 --- Created an attachment (id=16848) --> (http://bugs.winehq.org/attachment.cgi?id=16848) /etc/certs & /etc/crypto directories
Let me know if you need anything else.
http://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #7 from Austin English austinenglish@gmail.com 2008-10-24 14:58:30 --- That was from a livecd of OpenSolaris, not the machine I use, but they should be the same.
http://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #8 from Juan Lang juan_lang@yahoo.com 2008-10-26 11:36:08 --- My basic assumption with that particular test is that there is a Verisign root CA cert somewhere on the system. There is on Windows, and on every Linux distro I've seen so far. Presently the code checks for trusted certs in the following locations (from dlls/crypt32/rootstore.c): /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs /etc/pki/tls/certs/ca-bundle.crt
That list can certainly be expanded if OpenSolaris puts its certs in a different location. The certs you sent only contain certificates from Sun, so adding e.g. the /etc/certs directory to this list won't make the test pass. You may have to install OpenSSL or something in order for the test to pass.
http://bugs.winehq.org/show_bug.cgi?id=15704
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|crypt32: chain.ok test fails|crypt32: chain.ok test fails |in OpenSolaris |in OpenSolaris/PC-BSD
--- Comment #9 from Austin English austinenglish@gmail.com 2008-10-27 15:43:39 --- Seems to also fail in PC-BSD. The root certs are avaialable there in security/ca_root_nss. They are then installed in /usr/local/share/certs/. Adding that to dlls/crypt32/rootstore.c fixes it.
I sent a patch: http://www.winehq.org/pipermail/wine-patches/2008-October/063840.html
Still working on OpenSolaris though.
http://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #10 from Austin English austinenglish@gmail.com 2008-10-28 13:09:01 --- (In reply to comment #8)
You may have to install OpenSSL or something in order for the test to pass.
OpenSSl is installed, but doesn't come with root level certs o.0. I filed a bug, so until then, I'll leave this open.
http://bugs.winehq.org/show_bug.cgi?id=15704
Ivan Kalvachev iive@yahoo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |iive@yahoo.com
--- Comment #11 from Ivan Kalvachev iive@yahoo.com 2009-05-03 05:43:04 --- I got same bug on latest Slackware-12.2-current linux distribution. As far as I can see there is no official package containing root certificates, OpenSSL creates only empty directory. Checking the latest (0.9.8k) source revealed that root certificates are no longer distributed.
FAQ Quote "* How can I set up a bundle of commercial root CA certificates? The OpenSSL software is shipped without any root CA certificate as the OpenSSL project does not have any policy on including or excluding any specific CA and does not intend to set up such a policy. Deciding about which CAs to support is up to application developers or administrators. ..."
I don't find having a bunch random certificates globally installed to be good security practice, so I am not inclined to request such thing from the distribution maintainer.
If you want some certificates to test, then the right thing would be to include them with your test program. Afaik they are not that big and you don't need full bundle anyway.
http://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #12 from Juan Lang juan_lang@yahoo.com 2009-05-03 11:02:14 --- (In reply to comment #11)
I don't find having a bunch random certificates globally installed to be good security practice, so I am not inclined to request such thing from the distribution maintainer.
Sure. If I required these things to be installed, I would have marked this invalid. It's a valid bug. There are two ways to approach it: 1) Make the test succeed even in the absence of the verisign root cert. 2) Find the correct location of root certs on Solaris/PC-BSD, and support them in crypt32.
My test was already supposed to do 1), but apparently it doesn't do it sufficiently well. But if I fix it without doing 2), Solaris/PC-BSD will always be broken. So mainly I was hoping for feedback on the location of the root certs on these platforms, so that crypt32 chain verification may someday work there.
http://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #13 from Austin English austinenglish@gmail.com 2009-05-03 13:05:03 --- FWIW, PC-BSD is fixed: http://test.winehq.org/data/445567ea955f2f4096983539da4671e84ed0fbfb/wine_ae... http://source.winehq.org/git/wine.git/?a=commitdiff;h=fe256f99d32a92833dc0b8...
You have to install the certificates, from /usr/ports/security/ca_root_nss http://wiki.winehq.org/PC-BSD
Solaris, I just found a link on how to install the root certificates, but it's still not parsing the directory correctly. I'm looking into it.
http://bugs.winehq.org/show_bug.cgi?id=15704
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|crypt32: chain.ok test fails|crypt32: chain.ok test fails |in OpenSolaris/PC-BSD |in OpenSolaris
http://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #14 from Ivan Kalvachev iive@yahoo.com 2009-05-06 14:29:50 --- (In reply to comment #12)
Sure. If I required these things to be installed, I would have marked this invalid. It's a valid bug. There are two ways to approach it:
- Make the test succeed even in the absence of the verisign root cert.
- Find the correct location of root certs on Solaris/PC-BSD, and support them
in crypt32.
1) Is just workaround, not real fix. It may hide real bug and give false positive/negative.
2) Is not solution at all because my distribution do not have such certificates, it will not have them in future, nor there is reason to have them at all. Once again, this is GNU/Linux not some Solaris or BSD.
Just assume that there are no global installed .crt and try to make the test work in that case. What I find as good solutions are:
3) Put some .crt in the same directory as the test program and fallback to that directory as last resort. This way crypt32 would always have something to test.
4) Make crypt32 check ~/.wine/certs/ and give recommendation how to find and put some IE certs there.
http://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #15 from Juan Lang juan_lang@yahoo.com 2009-05-06 15:18:54 --- (In reply to comment #14)
- Is not solution at all because my distribution do not have such
certificates, it will not have them in future, nor there is reason to have them at all. Once again, this is GNU/Linux not some Solaris or BSD.
This bug is about Solaris. Please keep the comments on-topic. If you want to open a bug about Slackware, go ahead.
http://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #16 from Austin English austinenglish@gmail.com 2010-03-11 21:01:52 --- Still present.
http://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #17 from Juan Lang juan_lang@yahoo.com 2011-07-18 15:32:09 CDT --- Is this still an issue after today? Commit 8cdf7358227f3c94ecc20c99e27e6ea2fc901b12 might have fixed it.
http://bugs.winehq.org/show_bug.cgi?id=15704
François Gouget fgouget@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |fgouget@codeweavers.com
--- Comment #18 from François Gouget fgouget@codeweavers.com 2011-07-19 04:37:37 CDT --- I really don't trust my OpenSolaris 9.06 VM. However my Solaris 10u5 and 10u9 VMs are in relatively good shape. I tested crypt32:chain with 8cdf7358 applied test on all three and got 7 failures on OpenSolaris and 14 on Solaris (for the latter two, see the fg-sol10u[59]-vm results on test.winehq.org). The errors don't really look the same as in the initial report though.
Another important point is that on all three systems my /etc/sfw/openssl/certs directory is empty. So I don't expect 8cdf7358 to make any difference on my systems. Austin, did you find what package to install to get proper certificates there?
http://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #19 from Austin English austinenglish@gmail.com 2011-07-25 22:58:49 CDT --- (In reply to comment #18)
I really don't trust my OpenSolaris 9.06 VM. However my Solaris 10u5 and 10u9 VMs are in relatively good shape. I tested crypt32:chain with 8cdf7358 applied test on all three and got 7 failures on OpenSolaris and 14 on Solaris (for the latter two, see the fg-sol10u[59]-vm results on test.winehq.org). The errors don't really look the same as in the initial report though.
Another important point is that on all three systems my /etc/sfw/openssl/certs directory is empty. So I don't expect 8cdf7358 to make any difference on my systems. Austin, did you find what package to install to get proper certificates there?
No, I haven't yet found it (though I don't currently have access to an OpenSolaris install, and it's refusing to install for me under kvm/qemu).
http://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #20 from François Gouget fgouget@codeweavers.com 2012-01-25 04:02:48 CST --- Just for reference, this appears to be fixed on Solaris 11 (see the winetest results). http://test.winehq.org/data/
http://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #21 from Austin English austinenglish@gmail.com 2012-01-25 13:32:46 CST --- (In reply to comment #20)
Just for reference, this appears to be fixed on Solaris 11 (see the winetest results). http://test.winehq.org/data/
Do the older Solaris versions still fail?
http://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #22 from François Gouget fgouget@codeweavers.com 2012-01-26 03:22:58 CST --- Yes: http://test.winehq.org/data/
https://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #23 from Ken Sharp imwellcushtymelike@gmail.com --- Is this still an issue in Wine 1.7.45 or later?
Does http://test.winehq.org/data/ show Solaris?
https://bugs.winehq.org/show_bug.cgi?id=15704
--- Comment #24 from François Gouget fgouget@codeweavers.com --- It used to but I don't have any working Solaris VM at this time.
https://bugs.winehq.org/show_bug.cgi?id=15704
François Gouget fgouget@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|crypt32: chain.ok test |crypt32:chain test fails in |fails in OpenSolaris |OpenSolaris
https://bugs.winehq.org/show_bug.cgi?id=15704
François Gouget fgouget@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |ABANDONED Status|NEW |RESOLVED
--- Comment #25 from François Gouget fgouget@codeweavers.com --- I don't think Solaris matters nowadays.
https://bugs.winehq.org/show_bug.cgi?id=15704
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #26 from Austin English austinenglish@gmail.com --- Closing.
-
wine-bugs@winehq.org -
WineHQ Bugzilla