https://bugs.winehq.org/show_bug.cgi?id=47234
Bug ID: 47234 Summary: Wine fails to properly parse and import some of the standard root certificates Product: Wine Version: 4.7 Hardware: x86 OS: Linux Status: UNCONFIRMED Severity: major Priority: P2 Component: crypt32 Assignee: wine-bugs@winehq.org Reporter: oakad@yahoo.com Distribution: ---
While starting a wine application on Fedora 30 instance, quite a few of the root certificates can not be imported by Wine because of what appears to be a certificate parser bug. The remaining certificates still work, but those may be not enough and the bug may affect custom certificates as well.
004b:trace:chain:dump_extension "2.5.29.14" (not critical) 004b:trace:chain:CertGetCertificateChain error status: 00000020 004b:trace:chain:dump_chain_para 32 004b:trace:chain:CRYPT_CheckSimpleChain checking chain with 1 elements for time (null) 004b:trace:chain:dump_element 0x103be8: version 2 004b:trace:chain:dump_element issued by L"thawte Primary Root CA - G2" 004b:trace:chain:dump_element issued to L"thawte Primary Root CA - G2" 004b:trace:chain:dump_element valid from 11/5/2007 to 1/18/2038 004b:trace:chain:dump_element 3 extensions 004b:trace:chain:dump_extension "2.5.29.19" (critical) 004b:trace:chain:dump_basic_constraints2 basic constraints: 004b:trace:chain:dump_basic_constraints2 can be a CA 004b:trace:chain:dump_basic_constraints2 doesn't have path length constraint 004b:trace:chain:dump_basic_constraints2 path length=0 004b:trace:chain:dump_extension "2.5.29.15" (critical) 004b:trace:chain:dump_key_usage CERT_KEY_CERT_SIGN_KEY_USAGE 004b:trace:chain:dump_key_usage CERT_CRL_SIGN_KEY_USAGE 004b:trace:chain:dump_extension "2.5.29.14" (not critical) 004b:fixme:bcrypt:BCryptOpenAlgorithmProvider algorithm L"\377f\9eec\d340\4879\1a44\ad71\0dc0\aca8\4b4f\c055\19df\8cba\d67c\e6b2\03b0\6212\2dc5\e797\46d4\f60e\c322\68b2\3b93\475e\4db3\d630\592d\8d33\caf6\3f30\2210\5ee6" not supported 004b:trace:chain:CRYPT_CheckRootCert Last certificate's signature is invalid 004b:trace:chain:CertGetCertificateChain error status: 00000028 -- 004b:trace:chain:CertGetCertificateChain error status: 00000020 004b:trace:chain:dump_chain_para 32 004b:trace:chain:CRYPT_CheckSimpleChain checking chain with 1 elements for time (null) 004b:trace:chain:dump_element 0xfeca8: version 2 004b:trace:chain:dump_element issued by L"VeriSign Class 3 Public Primary Certification Authority - G4" 004b:trace:chain:dump_element issued to L"VeriSign Class 3 Public Primary Certification Authority - G4" 004b:trace:chain:dump_element valid from 11/5/2007 to 1/18/2038 004b:trace:chain:dump_element 4 extensions 004b:trace:chain:dump_extension "2.5.29.19" (critical) 004b:trace:chain:dump_basic_constraints2 basic constraints: 004b:trace:chain:dump_basic_constraints2 can be a CA 004b:trace:chain:dump_basic_constraints2 doesn't have path length constraint 004b:trace:chain:dump_basic_constraints2 path length=0 004b:trace:chain:dump_extension "2.5.29.15" (critical) 004b:trace:chain:dump_key_usage CERT_KEY_CERT_SIGN_KEY_USAGE 004b:trace:chain:dump_key_usage CERT_CRL_SIGN_KEY_USAGE 004b:trace:chain:dump_extension "1.3.6.1.5.5.7.1.12" (not critical) 004b:trace:chain:dump_extension "2.5.29.14" (not critical) 004b:fixme:bcrypt:BCryptOpenAlgorithmProvider algorithm L"\377f\9eec\d340\4879\1a44\ad71\0dc0\aca8\4b4f\c055\19df\8cba\d67c\e6b2\03b0\6212\2dc5\e797\46d4\f60e\c322\68b2\3b93\475e\4db3\d630\592d\8d33\caf6\3f30\2210\5ee6" not supported 004b:trace:chain:CRYPT_CheckRootCert Last certificate's signature is invalid 004b:trace:chain:CertGetCertificateChain error status: 00000028 -- 004b:trace:chain:dump_basic_constraints2 path length=0 004b:trace:chain:CertGetCertificateChain error status: 00000020 004b:trace:chain:dump_chain_para 32 004b:trace:chain:CRYPT_CheckSimpleChain checking chain with 1 elements for time (null) 004b:trace:chain:dump_element 0xfb668: version 2 004b:trace:chain:dump_element issued by L"USERTrust ECC Certification Authority" 004b:trace:chain:dump_element issued to L"USERTrust ECC Certification Authority" 004b:trace:chain:dump_element valid from 2/1/2010 to 1/18/2038 004b:trace:chain:dump_element 3 extensions 004b:trace:chain:dump_extension "2.5.29.14" (not critical) 004b:trace:chain:dump_extension "2.5.29.15" (critical) 004b:trace:chain:dump_key_usage CERT_KEY_CERT_SIGN_KEY_USAGE 004b:trace:chain:dump_key_usage CERT_CRL_SIGN_KEY_USAGE 004b:trace:chain:dump_extension "2.5.29.19" (critical) 004b:trace:chain:dump_basic_constraints2 basic constraints: 004b:trace:chain:dump_basic_constraints2 can be a CA 004b:trace:chain:dump_basic_constraints2 doesn't have path length constraint 004b:trace:chain:dump_basic_constraints2 path length=0 004b:fixme:bcrypt:BCryptOpenAlgorithmProvider algorithm L"\377f\9eec\d340\4879\1a44\ad71\0dc0\aca8\4b4f\c055\19df\8cba\d67c\e6b2\03b0\6212\2dc5\e797\46d4\f60e\c322\68b2\3b93\475e\4db3\d630\592d\8d33\caf6\3f30\2210\5ee6" not supported 004b:trace:chain:CRYPT_CheckRootCert Last certificate's signature is invalid 004b:trace:chain:CertGetCertificateChain error status: 00000028 -- 004b:trace:chain:dump_chain_para 32 004b:trace:chain:CRYPT_CheckSimpleChain checking chain with 1 elements for time (null) 004b:trace:chain:dump_element 0xc9478: version 2 004b:trace:chain:dump_element issued by L"SSL.com Root Certification Authority ECC" 004b:trace:chain:dump_element issued to L"SSL.com Root Certification Authority ECC" 004b:trace:chain:dump_element valid from 2/12/2016 to 2/12/2041 004b:trace:chain:dump_element 4 extensions 004b:trace:chain:dump_extension "2.5.29.14" (not critical) 004b:trace:chain:dump_extension "2.5.29.19" (critical) 004b:trace:chain:dump_basic_constraints2 basic constraints: 004b:trace:chain:dump_basic_constraints2 can be a CA 004b:trace:chain:dump_basic_constraints2 doesn't have path length constraint 004b:trace:chain:dump_basic_constraints2 path length=0 004b:trace:chain:dump_extension "2.5.29.35" (not critical) 004b:trace:chain:dump_extension "2.5.29.15" (critical) 004b:trace:chain:dump_key_usage CERT_DIGITAL_SIGNATURE_KEY_USAGE 004b:trace:chain:dump_key_usage CERT_KEY_CERT_SIGN_KEY_USAGE 004b:trace:chain:dump_key_usage CERT_CRL_SIGN_KEY_USAGE 004b:fixme:bcrypt:BCryptOpenAlgorithmProvider algorithm L"\377f\9eec\d340\4879\1a44\ad71\0dc0\aca8\4b4f\c055\19df\8cba\d67c\e6b2\03b0\6212\2dc5\e797\46d4\f60e\c322\68b2\3b93\475e\4db3\d630\592d\8d33\caf6\3f30\2210\5ee6\6850\091d" not supported 004b:trace:chain:CRYPT_CheckRootCert Last certificate's signature is invalid 004b:trace:chain:CertGetCertificateChain error status: 00000028 -- 004b:trace:chain:dump_chain_para 32 004b:trace:chain:CRYPT_CheckSimpleChain checking chain with 1 elements for time (null) 004b:trace:chain:dump_element 0xd8798: version 2 004b:trace:chain:dump_element issued by L"SSL.com EV Root Certification Authority ECC" 004b:trace:chain:dump_element issued to L"SSL.com EV Root Certification Authority ECC" 004b:trace:chain:dump_element valid from 2/12/2016 to 2/12/2041 004b:trace:chain:dump_element 4 extensions 004b:trace:chain:dump_extension "2.5.29.14" (not critical) 004b:trace:chain:dump_extension "2.5.29.19" (critical) 004b:trace:chain:dump_basic_constraints2 basic constraints: 004b:trace:chain:dump_basic_constraints2 can be a CA 004b:trace:chain:dump_basic_constraints2 doesn't have path length constraint 004b:trace:chain:dump_basic_constraints2 path length=0 004b:trace:chain:dump_extension "2.5.29.35" (not critical) 004b:trace:chain:dump_extension "2.5.29.15" (critical) 004b:trace:chain:dump_key_usage CERT_DIGITAL_SIGNATURE_KEY_USAGE 004b:trace:chain:dump_key_usage CERT_KEY_CERT_SIGN_KEY_USAGE 004b:trace:chain:dump_key_usage CERT_CRL_SIGN_KEY_USAGE 004b:fixme:bcrypt:BCryptOpenAlgorithmProvider algorithm L"\377f\9eec\d340\4879\1a44\ad71\0dc0\aca8\4b4f\c055\19df\8cba\d67c\e6b2\03b0\6212\2dc5\e797\46d4\f60e\c322\68b2\3b93\475e\4db3\d630\592d\8d33\caf6\3f30\2210\5ee6\80d0\091d" not supported 004b:trace:chain:CRYPT_CheckRootCert Last certificate's signature is invalid 004b:trace:chain:CertGetCertificateChain error status: 00000028 -- 004b:trace:chain:CertGetCertificateChain error status: 00000020 004b:trace:chain:dump_chain_para 32 004b:trace:chain:CRYPT_CheckSimpleChain checking chain with 1 elements for time (null) 004b:trace:chain:dump_element 0xc29a8: version 2 004b:trace:chain:dump_element issued by L"OISTE WISeKey Global Root GC CA" 004b:trace:chain:dump_element issued to L"OISTE WISeKey Global Root GC CA" 004b:trace:chain:dump_element valid from 5/9/2017 to 5/9/2042 004b:trace:chain:dump_element 4 extensions 004b:trace:chain:dump_extension "2.5.29.15" (critical) 004b:trace:chain:dump_key_usage CERT_KEY_CERT_SIGN_KEY_USAGE 004b:trace:chain:dump_key_usage CERT_CRL_SIGN_KEY_USAGE 004b:trace:chain:dump_extension "2.5.29.19" (critical) 004b:trace:chain:dump_basic_constraints2 basic constraints: 004b:trace:chain:dump_basic_constraints2 can be a CA 004b:trace:chain:dump_basic_constraints2 doesn't have path length constraint 004b:trace:chain:dump_basic_constraints2 path length=0 004b:trace:chain:dump_extension "2.5.29.14" (not critical) 004b:trace:chain:dump_extension "1.3.6.1.4.1.311.21.1" (not critical) 004b:fixme:bcrypt:BCryptOpenAlgorithmProvider algorithm L"\377f\9eec\d340\4879\1a44\ad71\0dc0\aca8\4b4f\c055\19df\8cba\d67c\e6b2\03b0\6212\2dc5\e797\46d4\f60e\c322\68b2\3b93\475e\4db3\d630\592d\8d33\caf6\3f30\2210\5ee6" not supported 004b:trace:chain:CRYPT_CheckRootCert Last certificate's signature is invalid 004b:trace:chain:CertGetCertificateChain error status: 00000028 -- 004b:trace:chain:dump_name_constraints 0 excluded subtrees: 004b:trace:chain:CertGetCertificateChain error status: 00000020 004b:trace:chain:dump_chain_para 32 004b:trace:chain:CRYPT_CheckSimpleChain checking chain with 1 elements for time (null) 004b:trace:chain:dump_element 0xb0fc8: version 2 004b:trace:chain:dump_element issued by L"Hellenic Academic and Research Institutions ECC RootCA 2015" 004b:trace:chain:dump_element issued to L"Hellenic Academic and Research Institutions ECC RootCA 2015" 004b:trace:chain:dump_element valid from 7/7/2015 to 6/30/2040 004b:trace:chain:dump_element 3 extensions 004b:trace:chain:dump_extension "2.5.29.19" (critical) 004b:trace:chain:dump_basic_constraints2 basic constraints: 004b:trace:chain:dump_basic_constraints2 can be a CA 004b:trace:chain:dump_basic_constraints2 doesn't have path length constraint 004b:trace:chain:dump_basic_constraints2 path length=0 004b:trace:chain:dump_extension "2.5.29.15" (critical) 004b:trace:chain:dump_key_usage CERT_KEY_CERT_SIGN_KEY_USAGE 004b:trace:chain:dump_key_usage CERT_CRL_SIGN_KEY_USAGE 004b:trace:chain:dump_extension "2.5.29.14" (not critical) 004b:fixme:bcrypt:BCryptOpenAlgorithmProvider algorithm L"\377f\9eec\d340\4879\1a44\ad71\0dc0\aca8\4b4f\c055\19df\8cba\d67c\e6b2\03b0\6212\2dc5\e797\46d4\f60e\c322\68b2\3b93\475e\4db3\d630\592d\8d33\caf6\3f30\2210\5ee6" not supported 004b:trace:chain:CRYPT_CheckRootCert Last certificate's signature is invalid 004b:trace:chain:CertGetCertificateChain error status: 00000028 -- 004b:trace:chain:dump_extension "2.5.29.14" (not critical) 004b:trace:chain:CertGetCertificateChain error status: 00000020 004b:trace:chain:dump_chain_para 32 004b:trace:chain:CRYPT_CheckSimpleChain checking chain with 1 elements for time (null) 004b:trace:chain:dump_element 0xae008: version 2 004b:trace:chain:dump_element issued by L"GlobalSign" 004b:trace:chain:dump_element issued to L"GlobalSign" 004b:trace:chain:dump_element valid from 11/13/2012 to 1/19/2038 004b:trace:chain:dump_element 3 extensions 004b:trace:chain:dump_extension "2.5.29.15" (critical) 004b:trace:chain:dump_key_usage CERT_KEY_CERT_SIGN_KEY_USAGE 004b:trace:chain:dump_key_usage CERT_CRL_SIGN_KEY_USAGE 004b:trace:chain:dump_extension "2.5.29.19" (critical) 004b:trace:chain:dump_basic_constraints2 basic constraints: 004b:trace:chain:dump_basic_constraints2 can be a CA 004b:trace:chain:dump_basic_constraints2 doesn't have path length constraint 004b:trace:chain:dump_basic_constraints2 path length=0 004b:trace:chain:dump_extension "2.5.29.14" (not critical) 004b:fixme:bcrypt:BCryptOpenAlgorithmProvider algorithm L"\377f\9eec\d340\4879\1a44\ad71\0dc0\aca8\4b4f\c055\19df\8cba\d67c\e6b2\03b0\6212\2dc5\e797\46d4\f60e\c322\68b2\3b93\475e\4db3\d630\592d\8d33\caf6\3f30\2210\5ee6" not supported 004b:trace:chain:CRYPT_CheckRootCert Last certificate's signature is invalid 004b:trace:chain:CertGetCertificateChain error status: 00000028 004b:trace:chain:dump_chain_para 32 004b:trace:chain:CRYPT_CheckSimpleChain checking chain with 1 elements for time (null) 004b:trace:chain:dump_element 0xa7888: version 2 004b:trace:chain:dump_element issued by L"GlobalSign" 004b:trace:chain:dump_element issued to L"GlobalSign" 004b:trace:chain:dump_element valid from 11/13/2012 to 1/19/2038 004b:trace:chain:dump_element 3 extensions 004b:trace:chain:dump_extension "2.5.29.15" (critical) 004b:trace:chain:dump_key_usage CERT_KEY_CERT_SIGN_KEY_USAGE 004b:trace:chain:dump_key_usage CERT_CRL_SIGN_KEY_USAGE 004b:trace:chain:dump_extension "2.5.29.19" (critical) 004b:trace:chain:dump_basic_constraints2 basic constraints: 004b:trace:chain:dump_basic_constraints2 can be a CA 004b:trace:chain:dump_basic_constraints2 doesn't have path length constraint 004b:trace:chain:dump_basic_constraints2 path length=0 004b:trace:chain:dump_extension "2.5.29.14" (not critical) 004b:fixme:bcrypt:BCryptOpenAlgorithmProvider algorithm L"\bdf7\c5f5\e4be\cd43\718a\1bf0\ab31\8a06\95ee\75ef\e619\6c12\d6db\c9bb\6aee\e300\377f\9eec\d340\4879\1a44\ad71\0dc0\aca8\4b4f\c055\19df\8cba\d67c\e6b2\03b0\6212\2dc5\e797\46d4\f60e\c322\68b2\3b93\475e\4db3\d630\592d\8d33\caf6\3f30\2210\5ee6" not supported 004b:trace:chain:CRYPT_CheckRootCert Last certificate's signature is invalid 004b:trace:chain:CertGetCertificateChain error status: 00000028 -- 004b:trace:chain:dump_extension "2.5.29.14" (not critical) 004b:trace:chain:CertGetCertificateChain error status: 00000020 004b:trace:chain:dump_chain_para 32 004b:trace:chain:CRYPT_CheckSimpleChain checking chain with 1 elements for time (null) 004b:trace:chain:dump_element 0xac358: version 2 004b:trace:chain:dump_element issued by L"GeoTrust Primary Certification Authority - G2" 004b:trace:chain:dump_element issued to L"GeoTrust Primary Certification Authority - G2" 004b:trace:chain:dump_element valid from 11/5/2007 to 1/18/2038 004b:trace:chain:dump_element 3 extensions 004b:trace:chain:dump_extension "2.5.29.19" (critical) 004b:trace:chain:dump_basic_constraints2 basic constraints: 004b:trace:chain:dump_basic_constraints2 can be a CA 004b:trace:chain:dump_basic_constraints2 doesn't have path length constraint 004b:trace:chain:dump_basic_constraints2 path length=0 004b:trace:chain:dump_extension "2.5.29.15" (critical) 004b:trace:chain:dump_key_usage CERT_KEY_CERT_SIGN_KEY_USAGE 004b:trace:chain:dump_key_usage CERT_CRL_SIGN_KEY_USAGE 004b:trace:chain:dump_extension "2.5.29.14" (not critical) 004b:fixme:bcrypt:BCryptOpenAlgorithmProvider algorithm L"\377f\9eec\d340\4879\1a44\ad71\0dc0\aca8\4b4f\c055\19df\8cba\d67c\e6b2\03b0\6212\2dc5\e797\46d4\f60e\c322\68b2\3b93\475e\4db3\d630\592d\8d33\caf6\3f30\2210\5ee6" not supported 004b:trace:chain:CRYPT_CheckRootCert Last certificate's signature is invalid 004b:trace:chain:CertGetCertificateChain error status: 00000028 -- 004b:trace:chain:dump_extension "2.5.29.14" (not critical) 004b:trace:chain:CertGetCertificateChain error status: 00000020 004b:trace:chain:dump_chain_para 32 004b:trace:chain:CRYPT_CheckSimpleChain checking chain with 1 elements for time (null) 004b:trace:chain:dump_element 0xa3f78: version 2 004b:trace:chain:dump_element issued by L"Entrust Root Certification Authority - EC1" 004b:trace:chain:dump_element issued to L"Entrust Root Certification Authority - EC1" 004b:trace:chain:dump_element valid from 12/18/2012 to 12/18/2037 004b:trace:chain:dump_element 3 extensions 004b:trace:chain:dump_extension "2.5.29.15" (critical) 004b:trace:chain:dump_key_usage CERT_KEY_CERT_SIGN_KEY_USAGE 004b:trace:chain:dump_key_usage CERT_CRL_SIGN_KEY_USAGE 004b:trace:chain:dump_extension "2.5.29.19" (critical) 004b:trace:chain:dump_basic_constraints2 basic constraints: 004b:trace:chain:dump_basic_constraints2 can be a CA 004b:trace:chain:dump_basic_constraints2 doesn't have path length constraint 004b:trace:chain:dump_basic_constraints2 path length=0 004b:trace:chain:dump_extension "2.5.29.14" (not critical) 004b:fixme:bcrypt:BCryptOpenAlgorithmProvider algorithm L"\377f\9eec\d340\4879\1a44\ad71\0dc0\aca8\4b4f\c055\19df\8cba\d67c\e6b2\03b0\6212\2dc5\e797\46d4\f60e\c322\68b2\3b93\475e\4db3\d630\592d\8d33\caf6\3f30\2210\5ee6" not supported 004b:trace:chain:CRYPT_CheckRootCert Last certificate's signature is invalid 004b:trace:chain:CertGetCertificateChain error status: 00000028 -- 004b:trace:chain:CertGetCertificateChain error status: 00000020 004b:trace:chain:dump_chain_para 32 004b:trace:chain:CRYPT_CheckSimpleChain checking chain with 1 elements for time (null) 004b:trace:chain:dump_element 0xa68b8: version 2 004b:trace:chain:dump_element issued by L"DigiCert Global Root G3" 004b:trace:chain:dump_element issued to L"DigiCert Global Root G3" 004b:trace:chain:dump_element valid from 8/1/2013 to 1/15/2038 004b:trace:chain:dump_element 3 extensions 004b:trace:chain:dump_extension "2.5.29.19" (critical) 004b:trace:chain:dump_basic_constraints2 basic constraints: 004b:trace:chain:dump_basic_constraints2 can be a CA 004b:trace:chain:dump_basic_constraints2 doesn't have path length constraint 004b:trace:chain:dump_basic_constraints2 path length=0 004b:trace:chain:dump_extension "2.5.29.15" (critical) 004b:trace:chain:dump_key_usage CERT_DIGITAL_SIGNATURE_KEY_USAGE 004b:trace:chain:dump_key_usage CERT_KEY_CERT_SIGN_KEY_USAGE 004b:trace:chain:dump_key_usage CERT_CRL_SIGN_KEY_USAGE 004b:trace:chain:dump_extension "2.5.29.14" (not critical) 004b:fixme:bcrypt:BCryptOpenAlgorithmProvider algorithm L"\377f\9eec\d340\4879\1a44\ad71\0dc0\aca8\4b4f\c055\19df\8cba\d67c\e6b2\03b0\6212\2dc5\e797\46d4\f60e\c322\68b2\3b93\475e\4db3\d630\592d\8d33\caf6\3f30\2210\5ee6" not supported 004b:trace:chain:CRYPT_CheckRootCert Last certificate's signature is invalid 004b:trace:chain:CertGetCertificateChain error status: 00000028 -- 004b:trace:chain:CertGetCertificateChain error status: 00000020 004b:trace:chain:dump_chain_para 32 004b:trace:chain:CRYPT_CheckSimpleChain checking chain with 1 elements for time (null) 004b:trace:chain:dump_element 0x937b8: version 2 004b:trace:chain:dump_element issued by L"DigiCert Assured ID Root G3" 004b:trace:chain:dump_element issued to L"DigiCert Assured ID Root G3" 004b:trace:chain:dump_element valid from 8/1/2013 to 1/15/2038 004b:trace:chain:dump_element 3 extensions 004b:trace:chain:dump_extension "2.5.29.19" (critical) 004b:trace:chain:dump_basic_constraints2 basic constraints: 004b:trace:chain:dump_basic_constraints2 can be a CA 004b:trace:chain:dump_basic_constraints2 doesn't have path length constraint 004b:trace:chain:dump_basic_constraints2 path length=0 004b:trace:chain:dump_extension "2.5.29.15" (critical) 004b:trace:chain:dump_key_usage CERT_DIGITAL_SIGNATURE_KEY_USAGE 004b:trace:chain:dump_key_usage CERT_KEY_CERT_SIGN_KEY_USAGE 004b:trace:chain:dump_key_usage CERT_CRL_SIGN_KEY_USAGE 004b:trace:chain:dump_extension "2.5.29.14" (not critical) 004b:fixme:bcrypt:BCryptOpenAlgorithmProvider algorithm L"\377f\9eec\d340\4879\1a44\ad71\0dc0\aca8\4b4f\c055\19df\8cba\d67c\e6b2\03b0\6212\2dc5\e797\46d4\f60e\c322\68b2\3b93\475e\4db3\d630\592d\8d33\caf6\3f30\2210\5ee6" not supported 004b:trace:chain:CRYPT_CheckRootCert Last certificate's signature is invalid 004b:trace:chain:CertGetCertificateChain error status: 00000028 -- 004b:trace:chain:dump_basic_constraints2 path length=0 004b:trace:chain:CertGetCertificateChain error status: 00000020 004b:trace:chain:dump_chain_para 32 004b:trace:chain:CRYPT_CheckSimpleChain checking chain with 1 elements for time (null) 004b:trace:chain:dump_element 0x942a8: version 2 004b:trace:chain:dump_element issued by L"COMODO ECC Certification Authority" 004b:trace:chain:dump_element issued to L"COMODO ECC Certification Authority" 004b:trace:chain:dump_element valid from 3/6/2008 to 1/18/2038 004b:trace:chain:dump_element 3 extensions 004b:trace:chain:dump_extension "2.5.29.14" (not critical) 004b:trace:chain:dump_extension "2.5.29.15" (critical) 004b:trace:chain:dump_key_usage CERT_KEY_CERT_SIGN_KEY_USAGE 004b:trace:chain:dump_key_usage CERT_CRL_SIGN_KEY_USAGE 004b:trace:chain:dump_extension "2.5.29.19" (critical) 004b:trace:chain:dump_basic_constraints2 basic constraints: 004b:trace:chain:dump_basic_constraints2 can be a CA 004b:trace:chain:dump_basic_constraints2 doesn't have path length constraint 004b:trace:chain:dump_basic_constraints2 path length=0 004b:fixme:bcrypt:BCryptOpenAlgorithmProvider algorithm L"\377f\9eec\d340\4879\1a44\ad71\0dc0\aca8\4b4f\c055\19df\8cba\d67c\e6b2\03b0\6212\2dc5\e797\46d4\f60e\c322\68b2\3b93\475e\4db3\d630\592d\8d33\caf6\3f30\2210\5ee6" not supported 004b:trace:chain:CRYPT_CheckRootCert Last certificate's signature is invalid 004b:trace:chain:CertGetCertificateChain error status: 00000028
https://bugs.winehq.org/show_bug.cgi?id=47234
Dmitry Timoshkov dmitry@baikal.ru changed:
What |Removed |Added ---------------------------------------------------------------------------- Severity|major |normal
--- Comment #1 from Dmitry Timoshkov dmitry@baikal.ru --- Please don't paste such lengthy logs, attach them instead.
Also it would be helpful to either attach or provide a reference to one of the failing certificates.
https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #2 from Alex Dubov oakad@yahoo.com --- Sorry about the log dump - I have reached for the "edit" button after realizing it's that long, but to no avail.
I will attach some certs hereby.
https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #3 from Alex Dubov oakad@yahoo.com --- Created attachment 64519 --> https://bugs.winehq.org/attachment.cgi?id=64519 thawte Primary Root CA - G2
https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #4 from Alex Dubov oakad@yahoo.com --- Created attachment 64520 --> https://bugs.winehq.org/attachment.cgi?id=64520 VeriSign Class 3 Public Primary Certification Authority - G4
https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #5 from Alex Dubov oakad@yahoo.com --- Created attachment 64521 --> https://bugs.winehq.org/attachment.cgi?id=64521 USERTrust ECC Certification Authority
https://bugs.winehq.org/show_bug.cgi?id=47234
pattietreutel katyaberezyaka@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |katyaberezyaka@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #6 from Dmitry Timoshkov dmitry@baikal.ru --- Thanks for the samples. I've added support for ASCII certificates to my test app and here are some results of my testing:
thawte Primary Root CA - G2: This one uses non-standard header/trailer with 3 instead of 5 dashes, and CryptStringToBinary() fails to decode it even under Windows. Once I add 2 more dashes CryptStringToBinary() succeeds, but then CertCreateCertificateContext() fails with error CRYPT_E_ASN1_BADTAG under both wine-4.8 and Windows 7. I haven't tested this certificate with Linux tools though.
VeriSign Class 3 Public Primary Certification Authority - G4: USERTrust ECC Certification Authorit: These two get successfully decoded by CryptStringToBinary() and then CertCreateCertificateContext() successfully decodes it as well and I see reasonable certificate info. That's both under wine-4.8 and Windows 7.
So, the problem is not with certificate decoding and must be somewhere else. I'd guess the failure happens once someone tries to verify the certificate signature, and that hits a not supported algorithm under Wine.
https://bugs.winehq.org/show_bug.cgi?id=47234
Dmitry Timoshkov dmitry@baikal.ru changed:
What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 Status|UNCONFIRMED |NEW
--- Comment #7 from Dmitry Timoshkov dmitry@baikal.ru --- +crypt,+bcrypt probably log may help.
https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #8 from Alex Dubov oakad@yahoo.com --- On the other hand:
1. The certs are provided by the default Fedora install and exhibit no issues when operated upon with Openssl and other TLS utils on Fedora.
2. 004b:fixme:bcrypt:BCryptOpenAlgorithmProvider algorithm L"\377f\9eec\d340\4879\1a44\ad71\0dc0\aca8\4b4f\c055\19df\8cba\d67c\e6b2\03b0\6212\2dc5\e797\46d4\f60e\c322\68b2\3b93\475e\4db3\d630\592d\8d33\caf6\3f30\2210\5ee6"
This is simply not right - an algorithm name must be an ascii string (Openssl confirms) but instead BCryptOpenAlgorithmProvider is being fed a rubbish byte string (in all of the broken cert cases, which are more than the 3 I've provided).
To this end, I will attach another cert here (the one I care much more about) with a more extensive trace.
https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #9 from Alex Dubov oakad@yahoo.com --- Created attachment 64580 --> https://bugs.winehq.org/attachment.cgi?id=64580 Amazon Root CA 4
https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #10 from Alex Dubov oakad@yahoo.com --- Created attachment 64581 --> https://bugs.winehq.org/attachment.cgi?id=64581 Debug trace for Amazon Root CA 4
https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #11 from Dmitry Timoshkov dmitry@baikal.ru --- (In reply to Alex Dubov from comment #8)
On the other hand:
- The certs are provided by the default Fedora install and exhibit no
issues when operated upon with Openssl and other TLS utils on Fedora.
- 004b:fixme:bcrypt:BCryptOpenAlgorithmProvider algorithm
L"\377f\9eec\d340\4879\1a44\ad71\0dc0\aca8\4b4f\c055\19df\8cba\d67c\e6b2\03b0 \6212\2dc5\e797\46d4\f60e\c322\68b2\3b93\475e\4db3\d630\592d\8d33\caf6\3f30\2 210\5ee6"
This is simply not right - an algorithm name must be an ascii string (Openssl confirms) but instead BCryptOpenAlgorithmProvider is being fed a rubbish byte string (in all of the broken cert cases, which are more than the 3 I've provided).
To this end, I will attach another cert here (the one I care much more about) with a more extensive trace.
Something is wrong with your Wine build. I've downloaded ca-bundle provided by Fedora 30 ca-certificates-2018.2.26-3.fc30.noarch.rpm: $> sha1sum ca-certificates-2018.2.26-3.fc30.noarch.rpm e59f5725b3ca1b008a1641ef1ccecd4cac53c836 ca-certificates-2018.2.26-3.fc30.noarch.rpm and extracted ca-bundle.trust.p11-kit from it: $ sha1sum ca-bundle.trust.p11-kit c68ae92fff329a21be3ffcee64de7800ce75f601 ca-bundle.trust.p11-kit
Then I patched Wine source to use this file as a known location for CA root certificates, generated the log, and checked Amazon Root CA 4 certificate in the log: it gets loaded and its signature is verified just fine. I don't see in the log strange looking BCryptOpenAlgorithmProvider() call, instead I see a perfectly valid BCryptOpenAlgorithmProvider("ECDSA_P384",...).
Did you build Wine from source or using some pre-built binary package?
https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #12 from Alex Dubov oakad@yahoo.com --- All I did was:
dnf -y install wine
No custom repos, clean fedora install.
Seems like fedora 30 is distributing a broken wine then?
https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #13 from Alex Dubov oakad@yahoo.com --- Surprisingly, the issue appears even if I install the RPMs from winehq repo. So it's not a wine build, but rather something strange with Fedora 30 in general.
https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #14 from Alex Dubov oakad@yahoo.com --- On the other hand, may it be something with my application?
It's a mingw executable loading an MSVC 141 compiled dll.
Yet, the cert loading is initiated by Wine in a dedicated thread (not directly by my app), and only some certs exhibit issues.
https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #15 from Dmitry Timoshkov dmitry@baikal.ru --- (In reply to Alex Dubov from comment #14)
On the other hand, may it be something with my application?
It's a mingw executable loading an MSVC 141 compiled dll.
Does your application patch/hook the APIs?
Yet, the cert loading is initiated by Wine in a dedicated thread (not directly by my app), and only some certs exhibit issues.
I guess only some certificates require CNG to verify the signature.
Could you please generate +relay,+seh,+tid,+crypt,+bcrypt,+chain log, compress it, and either attach it here or upload it somewhere if it's too big?
https://bugs.winehq.org/show_bug.cgi?id=47234
Marcin Juszkiewicz marcin-wine@juszkiewicz.com.pl changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |marcin-wine@juszkiewicz.com | |.pl
--- Comment #16 from Marcin Juszkiewicz marcin-wine@juszkiewicz.com.pl --- Diablo III (game, launcher, installer) fail with link to https://eu.battle.net/support/pl/article/161075 page.
Instructions say 'fetch https://dl.cacerts.digicert.com/DigiCertAssuredIDRootCA.crt' and add it. My Fedora 30 installation already knows that certificate.
https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #17 from Marcin Juszkiewicz marcin-wine@juszkiewicz.com.pl --- When I started Diablo III installer with WINEDEBUG=+relay,+seh,+tid,+crypt,+bcrypt,+chain then installation was running fine.
https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #18 from Dmitry Timoshkov dmitry@baikal.ru --- (In reply to Marcin Juszkiewicz from comment #16)
Diablo III (game, launcher, installer) fail with link to https://eu.battle.net/support/pl/article/161075 page.
Instructions say 'fetch https://dl.cacerts.digicert.com/DigiCertAssuredIDRootCA.crt' and add it. My Fedora 30 installation already knows that certificate.
Why do you think that this problem is related to this bug report?
https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #19 from Marcin Juszkiewicz marcin-wine@juszkiewicz.com.pl --- (In reply to Dmitry Timoshkov from comment #18)
Why do you think that this problem is related to this bug report?
Same host os, wine app reporting issue with loading root certificate present in host os.
But could be wrong - then I can open a new bug.
https://bugs.winehq.org/show_bug.cgi?id=47234
Berillions berillions@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |berillions@gmail.com
--- Comment #20 from Berillions berillions@gmail.com --- Hello guys,
do you how Wine/Wine-Staging is built on Fedora ? Wine's binaries are built with GCC-8 or GCC-9 ?
Because on Gentoo, if Wine is built with GCC-9 and if you launch EA Origin, there a lot of bcrypt warning like this : https://pastebin.com/hj6TZEXr
and EA Origin runs but unable to log in to your account because you have error message : "Online connection currently unavailable."
Rebuild Wine/Wine-Staging with GCC-8 fixes the issue.
https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #21 from Rosanne DiMesio dimesio@earthlink.net --- (In reply to Berillions from comment #20)
do you how Wine/Wine-Staging is built on Fedora ? Wine's binaries are built with GCC-8 or GCC-9 ?
The WineHQ Fedora 30 packages are built with GCC-9. AFAICT, GCC-8 is not available in the Fedora 30 standard or update repository.
https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #22 from Rosanne DiMesio dimesio@earthlink.net --- FYI, if anyone wants to look at a build log, the latest WineHQ package build logs are publicly available on the OBS. https://build.opensuse.org/package/show/Emulators:Wine:Fedora/wine-devel https://build.opensuse.org/package/show/Emulators:Wine:Fedora/wine-staging
Simply click the "succeeded" link for the log you want to view.
https://bugs.winehq.org/show_bug.cgi?id=47234
--- Comment #23 from Andrey Gusev andrey.goosev@gmail.com --- Should be fixed by https://source.winehq.org/git/wine.git/commit/9afc341c4f043240f0dc3de6351550...
https://bugs.winehq.org/show_bug.cgi?id=47234
Hans Leidekker hans@meelstraat.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |9afc341c4f043240f0dc3de6351 | |550b03d24b131 Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #24 from Hans Leidekker hans@meelstraat.net --- Assuming this is fixed by 9afc341c4f043240f0dc3de6351550b03d24b131.
https://bugs.winehq.org/show_bug.cgi?id=47234
Michael Stefaniuc mstefani@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |4.0.x
https://bugs.winehq.org/show_bug.cgi?id=47234
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #25 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 4.18.
https://bugs.winehq.org/show_bug.cgi?id=47234
Michael Stefaniuc mstefani@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|4.0.x |---
--- Comment #26 from Michael Stefaniuc mstefani@winehq.org --- Removing the 4.0.x milestone from bug fixes included in 4.0.3.