Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=56559
I initially made some comments on this in https://gitlab.winehq.org/wine/wine/-/merge_requests/7112.
While this is probably also not for code freeze and the problems addressed by this MR are orthogonal to !7112 , that one might make problem solved here more likely to trigger, so it is probably best to have both at once.
The most unobvious part is that while CertGetCertificateChain() places errors for unknown revocation status for intermediate certs in the chain structure and in the chain-global TrustStatus.dwErrorStatus, CertVerifyCertificateChainPolicy() ignores those (without any flags suggesting that passed) unless the error relates to the end (first in chain) certificate. I could suspect that something is going wrong in my faking of errors in chain structure. So I tested it directly by simulating real offline revocation (in the attached test program which uses the same encoded certs as in !7112) and this test confirms the behaviour. It also addiotionally confirms that CERT_TRUST_IS_OFFLINE_REVOCATION flag for TrustStatus.dwErrorStatus is not set without CERT_TRUST_REVOCATION_STATUS_UNKNOWN in the chain structure (which is also fixed by this MR).
[revocchain.c](/uploads/122fa673861398fb7b7bcb18bc73c5a3/revocchain.c)