Hi Juan,

I need some advice.

Attached is a patch to fix bug 34388, where an app that tries to verify its 
code signature fails because Wine, while parsing the certificates embedded 
within the signature, encounters an item in the CMS signer info (tag 0x31, i.e. 
ASN_UNIVERSAL | ASN_CONSTRUCTOR | 0x11), right before the 
HashEncryptionAlgorithm sequence item, that it doesn't yet know how to decode. 
This patch (which just skips the item in question) allows that app to 
successfully verify its code signature and run, but...

My testing on Windows (cf. job 2037 on newtestbot) shows some interesting 
behavior. Windows will indeed accept this item, but only if the AuthAttrs item 
is also present and immediately precedes it in the sequence. (The other test 
bails out with CRYPT_E_ASN_BADTAG.) I don't quite know what to make of this. 
The odd thing is that the certificate in question doesn't have this optional 
AuthAttrs item, and yet (in most cases, at least) most people who run this 
particular app on Windows do not have this problem. I can't seem to find 
anything about this from reading the relevant RFCs. Is there something I'm 
missing?

Thanks.

Chip

Attachment: 0001-crypt32-Skip-unknown-item-when-decoding-a-CMS-certif.patch
Description: Binary data



Reply via email to