https://bugs.winehq.org/show_bug.cgi?id=53919

Bug ID: 53919 Summary: crypt32:cert - testVerifyRevocation() uses an outdated certificate Product: Wine Version: 7.21 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: crypt32 Assignee: wine-bugs@winehq.org Reporter: jinoh.kang.kr@gmail.com CC: fgouget@codeweavers.com, hans@meelstraat.net Distribution: ---

crypt32:cert - testVerifyRevocation() fails in Wine:

cert.c:4191: Test failed: success cert.c:4192: Test failed: got 00000000 cert.c:4193: Test failed: got 00000000

https://testbot.winehq.org/JobDetails.pl?Key=126125

The failures started on 2022-11-14 and are consistently reproducible since then. The actual test was introduced on 2022-05-24 in the commit below.

So this is not a regression but instead looks like an outside change that broke the test.

commit 74832c2177808c6222d44f7e4580de84e0ada8f0 Author: Hans Leidekker hans@codeweavers.com AuthorDate: Tue May 24 09:46:22 2022 +0200

crypt32/tests: Add more OCSP revocation tests.

Signed-off-by: Hans Leidekker hans@codeweavers.com Signed-off-by: Alexandre Julliard julliard@winehq.org

The commit introduces a variable named ocsp_cert_revoked that contains the following certificate:

Certificate: Data: Version: 3 (0x2) Serial Number: 0d:2e:67:a2:98:85:3b:9a:54:52:e3:a2:85:a4:57:2f Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = DigiCert Inc, CN = RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1 Validity Not Before: Oct 27 00:00:00 2021 GMT Not After : Oct 27 23:59:59 2022 GMT Subject: CN = revoked.badssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b0:76:2d:55:66:dc:72:8a:a0:9e:85:92:38:7f: 5b:e1:93:8d:ad:06:c8:ad:e9:89:b4:ef:1e:77:5b: 33:45:16:60:7d:33:38:68:04:d7:c9:83:42:83:d9: 30:4b:54:49:14:ca:ed:be:0c:76:ba:5f:a6:5c:33: 78:3f:39:f2:49:a8:88:32:ee:53:21:14:d3:aa:5c: 58:3c:39:cc:f7:80:b1:27:1f:54:79:7b:6c:8b:ff: 41:aa:39:24:95:5f:71:bc:49:bf:39:3b:a5:d5:e1: a5:de:1d:40:81:25:dc:8a:47:82:fe:cd:7c:4b:2c: 04:bb:d3:27:56:51:a0:61:f2:d2:cb:55:08:25:2a: 85:db:2c:06:8d:0d:61:c2:5b:3e:9b:46:dc:58:ff: 13:27:be:0a:44:1e:68:fe:e1:f6:b7:de:9f:8e:6c: c4:b5:19:fa:d7:d3:4f:55:a8:61:79:db:61:2f:6a: 9c:2c:f1:c4:81:bb:9e:d2:02:05:ba:9c:14:a0:f9: f3:54:79:7d:69:d9:ba:66:1c:87:95:41:50:0e:f9: 5e:e1:b7:bd:f5:31:24:c5:21:21:03:8a:cf:6d:78: 58:de:d9:30:7d:03:42:52:d6:b0:1b:b9:c9:54:1b: 5a:e8:c8:53:f0:ac:2b:82:10:27:a6:a9:70:25:ae: f8:a7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: A4:8D:E5:BE:7C:79:E4:70:23:6D:2E:29:34:AD:23:58:DC:F5:31:7F X509v3 Subject Key Identifier: B0:C8:CE:20:B2:78:CC:1D:23:EF:F0:FE:D6:0E:29:4B:AC:15:72:3C X509v3 Subject Alternative Name: DNS:revoked.badssl.com X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: Full Name:

URI:http://crl3.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crl Full Name:

URI:http://crl4.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crl X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 CPS: http://www.digicert.com/CPS Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crt X509v3 Basic Constraints: CA:FALSE (snip)

The time of first failure is past the expiry date of the certificate above. It appears that the OCSP provider has retracted the certificate entry in question, which is no longer necessary.