[Bug 58342] New: Loading/Generating SSL certificate for game server fails (PFXImportCertStore flags 00000100 not supported)
http://bugs.winehq.org/show_bug.cgi?id=58342
Bug ID: 58342 Summary: Loading/Generating SSL certificate for game server fails (PFXImportCertStore flags 00000100 not supported) Product: Wine Version: 10.9 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: crypt32 Assignee: wine-bugs@winehq.org Reporter: madbyte@tuta.io Distribution: ---
Created attachment 78719 --> http://bugs.winehq.org/attachment.cgi?id=78719 wine generate log with WINEDEBUG=+crypt
I'm trying to run an in-dev game server for SPTarkov: https://github.com/sp-tarkov/server-csharp
The software tries to generate a new cert via the following code: https://github.com/sp-tarkov/server-csharp/blob/main/Libraries/SPTarkov.Serv...
Compiling the server for Linux natively and running it works fine & a certificate.pfx file is created no issues.
When running the server through wine (main use case), cert creation fails with the following lines (see attached log ''):
01c4:trace:crypt:PFXIsPFXBlob (00007F2C1898A390) 01c4:trace:crypt:CryptQueryObject returning 1 01c4:fixme:crypt:PFXImportCertStore flags 00000100 not supported System.Security.Cryptography.CryptographicException: Success. at System.Security.Cryptography.X509Certificates.X509CertificateLoader.ImportPfx(ReadOnlySpan`1 data, ReadOnlySpan`1 password, X509KeyStorageFlags keyStorageFlags)
When generating a cert file via the Linux native server & then trying to run the windows server, I get the following lines:
01dc:trace:crypt:CryptQueryObject returning 1 01dc:fixme:thread:NtQueryInformationThread ThreadIdealProcessorEx info class - stub 01dc:fixme:thread:SetThreadIdealProcessorEx (FFFFFFFFFFFFFFFE 00007F2E5AB99EC0 00007F2E5AB99EC0): stub 01dc:fixme:crypt:PFXImportCertStore flags 00000100 not supported 01dc:fixme:thread:NtQueryInformationThread ThreadIdealProcessorEx info class - stub 01dc:fixme:thread:SetThreadIdealProcessorEx (FFFFFFFFFFFFFFFE 00007F2E5AB979F0 00007F2E5AB979F0): stub System.Security.Cryptography.CryptographicException: Success. at System.Security.Cryptography.X509Certificates.X509CertificateLoader.ImportPfx(ReadOnlySpan`1 data, ReadOnlySpan`1 password, X509KeyStorageFlags keyStorageFlags)
Since `01dc:fixme:crypt:PFXImportCertStore flags 00000100 not supported` is in both logs, it's possible that the `PKCS12_PREFER_CNG_KSP` flag might be the issue: https://github.com/wine-mirror/wine/blob/master/include/wincrypt.h#L3993
Thanks.
http://bugs.winehq.org/show_bug.cgi?id=58342
--- Comment #1 from Lars Loe madbyte@tuta.io --- Created attachment 78720 --> http://bugs.winehq.org/attachment.cgi?id=78720 wine import log with WINEDEBUG=+crypt
http://bugs.winehq.org/show_bug.cgi?id=58342
Lars Loe madbyte@tuta.io changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |madbyte@tuta.io
http://bugs.winehq.org/show_bug.cgi?id=58342
Lars Loe madbyte@tuta.io changed:
What |Removed |Added ---------------------------------------------------------------------------- URL| |https://github.com/sp-tarko | |v/server-csharp Keywords| |dotnet, source
http://bugs.winehq.org/show_bug.cgi?id=58342
--- Comment #2 from Hans Leidekker hans@meelstraat.net --- Created attachment 78727 --> http://bugs.winehq.org/attachment.cgi?id=78727 patch
Right, we're returning NULL for this unsupported flag but we could ignore it since it's just a preference. Something like this patch may help.
http://bugs.winehq.org/show_bug.cgi?id=58342
--- Comment #3 from Dmitry Timoshkov dmitry@baikal.ru --- (In reply to Hans Leidekker from comment #2)
Created attachment 78727 [details] patch
Right, we're returning NULL for this unsupported flag but we could ignore it since it's just a preference. Something like this patch may help.
Shouldn't 'if (flags == PKCS12_PREFER_CNG_KSP)' be 'if (flags & PKCS12_PREFER_CNG_KSP)' instead?
http://bugs.winehq.org/show_bug.cgi?id=58342
--- Comment #4 from Hans Leidekker hans@meelstraat.net --- (In reply to Dmitry Timoshkov from comment #3)
(In reply to Hans Leidekker from comment #2)
Created attachment 78727 [details] patch
Right, we're returning NULL for this unsupported flag but we could ignore it since it's just a preference. Something like this patch may help.
Shouldn't 'if (flags == PKCS12_PREFER_CNG_KSP)' be 'if (flags & PKCS12_PREFER_CNG_KSP)' instead?
That would accept combinations of PKCS12_PREFER_CNG_KSP and unsupported flags.
http://bugs.winehq.org/show_bug.cgi?id=58342
--- Comment #5 from Lars Loe madbyte@tuta.io --- I think I might messed up the generate code snippet, mb. Instead of flag 0x00000100 on PFXImportCertStore it shows:
01bc:fixme:ncrypt:NCryptSetProperty flags 0x40000000 not supported 01bc:fixme:ncrypt:NCryptSetProperty flags 0x80000000 not supported 01bc:trace:crypt:CryptQueryObject (00000002, 00007F22D18AA228, 00001522, 0000000e, 00000000, 00007F22D18AA220, 00007F22D18AA260, 00007F22D18AA218, 00007F22D18AA128, 00007F22D18AA120, 00007F22D18AA118)
Attachment: wine generate log with WINEDEBUG=+crypt
Not sure if this might be the actual reason on cert gen.
Thanks for your work :)
http://bugs.winehq.org/show_bug.cgi?id=58342
Zeb Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |z.figura12@gmail.com
--- Comment #6 from Zeb Figura z.figura12@gmail.com --- (In reply to Hans Leidekker from comment #4)
(In reply to Dmitry Timoshkov from comment #3)
(In reply to Hans Leidekker from comment #2)
Created attachment 78727 [details] patch
Right, we're returning NULL for this unsupported flag but we could ignore it since it's just a preference. Something like this patch may help.
Shouldn't 'if (flags == PKCS12_PREFER_CNG_KSP)' be 'if (flags & PKCS12_PREFER_CNG_KSP)' instead?
That would accept combinations of PKCS12_PREFER_CNG_KSP and unsupported flags.
Not to bikeshed further, but wouldn't it be clearer (and more idiomatic?) to write
if (flags & PKCS12_PREFER_CNG_KSP) FIXME("ignoring PKCS12_PREFER_CNG_KSP\n"); if (flags & ~supported) FIXME("unsupported flags %#x\n", flags & ~supported);
That results in a double fixme, but both statements are true.
http://bugs.winehq.org/show_bug.cgi?id=58342
Lars Loe madbyte@tuta.io changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #78720|0 |1 is obsolete| |
--- Comment #7 from Lars Loe madbyte@tuta.io --- Created attachment 78738 --> http://bugs.winehq.org/attachment.cgi?id=78738 Import log with patch1_20250610 WINEDEBUG=+crypt
http://bugs.winehq.org/show_bug.cgi?id=58342
--- Comment #8 from Lars Loe madbyte@tuta.io --- (In reply to Hans Leidekker from comment #4)
(In reply to Dmitry Timoshkov from comment #3)
(In reply to Hans Leidekker from comment #2)
Created attachment 78727 [details] patch
Right, we're returning NULL for this unsupported flag but we could ignore it since it's just a preference. Something like this patch may help.
Shouldn't 'if (flags == PKCS12_PREFER_CNG_KSP)' be 'if (flags & PKCS12_PREFER_CNG_KSP)' instead?
That would accept combinations of PKCS12_PREFER_CNG_KSP and unsupported flags.
Tried your patch file with latest wine-git.
Nothing changed for cert generation, same crash log as posted above.
On cert import I get further then before, but now GnuTLS fails with:
01ac:fixme:crypt:PFXImportCertStore ignoring PKCS12_PREFER_CNG_KSP 01ac:trace:crypt:gnutls_log <3> ASSERT: ../../../lib/x509/pkcs7-crypt.c[_gnutls_pkcs_raw_decrypt_data]:1234 01ac:trace:crypt:gnutls_log <3> ASSERT: ../../../lib/x509/privkey_pkcs8.c[pkcs8_key_decrypt]:780 01ac:trace:crypt:gnutls_log <3> ASSERT: ../../../lib/x509/privkey_pkcs8.c[gnutls_x509_privkey_import_pkcs8]:1752 01ac:trace:crypt:gnutls_log <3> ASSERT: ../../../lib/x509/pkcs12.c[gnutls_pkcs12_simple_parse]:1752 GnuTLS error: Decryption failed. System.Security.Cryptography.CryptographicException: Success. at System.Security.Cryptography.X509Certificates.X509CertificateLoader.ImportPfx(ReadOnlySpan`1 data, ReadOnlySpan`1 password, X509KeyStorageFlags keyStorageFlags)
I assume this needs to be reported to the GnuTLS project instead?
-
WineHQ Bugzilla