Original patch by Michael Müller.
Root certificates don't have CRL Distribution Point or Authority Info Access field. Don't report error with CERT_CHAIN_REVOCATION_CHECK_CHAIN in CertGetCertificateChain() because of this.
Signed-off-by: Zhiyi Zhang zzhang@codeweavers.com --- dlls/crypt32/chain.c | 8 ++++++++ dlls/crypt32/tests/chain.c | 6 +++--- 2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c index d7015d797d..f77010a0fa 100644 --- a/dlls/crypt32/chain.c +++ b/dlls/crypt32/chain.c @@ -2698,6 +2698,14 @@ static void CRYPT_VerifyChainRevocation(PCERT_CHAIN_CONTEXT chain, ret = CertVerifyRevocation(X509_ASN_ENCODING, CERT_CONTEXT_REVOCATION_TYPE, 1, (void **)&certToCheck, revocationFlags, &revocationPara, &revocationStatus); + + if (!ret && revocationStatus.dwError == CRYPT_E_NO_REVOCATION_CHECK + && revocationPara.pIssuerCert == NULL) + { + WARN("Unable to find CRL or AIA for CA certificate\n"); + ret = TRUE; + } + if (!ret) { PCERT_CHAIN_ELEMENT element = CRYPT_FindIthElementInChain( diff --git a/dlls/crypt32/tests/chain.c b/dlls/crypt32/tests/chain.c index c997068a06..3503eb3e92 100644 --- a/dlls/crypt32/tests/chain.c +++ b/dlls/crypt32/tests/chain.c @@ -4153,9 +4153,9 @@ static void testGetCertChain(void)
ret = CertGetCertificateChain(NULL, cert, &fileTime, store, ¶, CERT_CHAIN_REVOCATION_CHECK_CHAIN, NULL, &chain); ok(ret, "CertGetCertificateChain failed: %u\n", GetLastError()); - todo_wine ok(!chain->TrustStatus.dwErrorStatus - || broken(chain->TrustStatus.dwErrorStatus == CERT_TRUST_REVOCATION_STATUS_UNKNOWN), /* XP */ - "chain->TrustStatus.dwErrorStatus = %x\n", chain->TrustStatus.dwErrorStatus); + ok(!chain->TrustStatus.dwErrorStatus + || broken(chain->TrustStatus.dwErrorStatus == CERT_TRUST_REVOCATION_STATUS_UNKNOWN), /* XP */ + "chain->TrustStatus.dwErrorStatus = %x\n", chain->TrustStatus.dwErrorStatus);
ret = CertGetCertificateChain(NULL, cert, &fileTime, store, ¶, CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT, NULL, &chain);