https://bugs.winehq.org/show_bug.cgi?id=47785

Bug ID: 47785 Summary: CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG not taken into account Product: Wine Version: 4.16 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: crypt32 Assignee: wine-bugs@winehq.org Reporter: lois.diqual@gmail.com Distribution: ---

Created attachment 65274 --> https://bugs.winehq.org/attachment.cgi?id=65274 c# program that verifies an expired certificate using IgnoreNotTimeValid

I am debugging a C# program that validates a certificate chain using X509VerificationFlags.IgnoreNotTimeValid. The provided certificate is expired, but it shouldn't matter because of this flag.

The chain validates properly on MacOS with Mono. However on Wine with dotnet472, the policy fails with error NotTimeValid.

I believe there is a bug in `chain.c verify_base_policy`: https://github.com/wine-mirror/wine/blob/e6138a52a907fe4b9b03abe0b6cf6cfb9fb.... In this if statement, the policy verification routine determines that the certificate has expired, but it should ignore the error if `checks` contains `CERT_CHAIN_POLICY_IGNORE_NOT_TIME_VALID_FLAG`, and this logic is missing.

To reproduce: - Create a wine prefix with dotnet472 using winetricks - Go to drive_c/windows/Microsoft.NET/Framework/v4.0.30319 and copy verify.cs in there - Compile verify.cs: wine csc.exe /reference:"C:\windows/Microsoft.NET/Framework/v4.0.30319/WPF/WindowsBase.dll" verify.cs - Run: wine verify.exe - It should print "Valid cert" but instead prints "Invalid cert" with NotTimeValid.