From: Bruno Jesus <00cpxxx@gmail.com>
Subject: crypt32: CertGetIssuerCertificateFromStore must return error for self-signed certificates
Message-Id: <CALF_nUQy2T14uJ8_T6aaW5jzaAVvp6yumpGROXMO8hDkd5f+DA@mail.gmail.com>
Date: Tue, 22 Jul 2014 20:43:06 -0300

Thanks for Anastasius Focht for the analysis and Juan Lang for the assistance.

Fixes bug http://bugs.winehq.org/show_bug.cgi?id=33742

diff --git a/dlls/crypt32/cert.c b/dlls/crypt32/cert.c
index 074b924..34fb85d 100644
--- a/dlls/crypt32/cert.c
+++ b/dlls/crypt32/cert.c
@@ -1882,6 +1882,12 @@ PCCERT_CONTEXT WINAPI CertGetIssuerCertificateFromStore(HCERTSTORE hCertStore,
         {
             CertFreeCertificateContext(ret);
             ret = NULL;
+        } 
+        if (CRYPT_IsCertificateSelfSigned(pSubjectContext))
+        {
+            CertFreeCertificateContext(ret);
+            ret = NULL;
+            SetLastError(CRYPT_E_SELF_SIGNED);
         }
     }
     TRACE("returning %p\n", ret);
diff --git a/dlls/crypt32/chain.c b/dlls/crypt32/chain.c
index 94d228a..056910f 100644
--- a/dlls/crypt32/chain.c
+++ b/dlls/crypt32/chain.c
@@ -265,7 +265,7 @@ typedef struct _CertificateChain
     LONG ref;
 } CertificateChain;
 
-static BOOL CRYPT_IsCertificateSelfSigned(PCCERT_CONTEXT cert)
+BOOL CRYPT_IsCertificateSelfSigned(PCCERT_CONTEXT cert)
 {
     PCERT_EXTENSION ext;
     DWORD size;
diff --git a/dlls/crypt32/crypt32_private.h b/dlls/crypt32/crypt32_private.h
index 02bd902..fb5c5c3 100644
--- a/dlls/crypt32/crypt32_private.h
+++ b/dlls/crypt32/crypt32_private.h
@@ -337,6 +337,7 @@ WINECRYPT_CERTSTORE *CRYPT_FileNameOpenStoreA(HCRYPTPROV hCryptProv,
 WINECRYPT_CERTSTORE *CRYPT_FileNameOpenStoreW(HCRYPTPROV hCryptProv,
  DWORD dwFlags, const void *pvPara) DECLSPEC_HIDDEN;
 WINECRYPT_CERTSTORE *CRYPT_RootOpenStore(HCRYPTPROV hCryptProv, DWORD dwFlags) DECLSPEC_HIDDEN;
+BOOL CRYPT_IsCertificateSelfSigned(PCCERT_CONTEXT cert) DECLSPEC_HIDDEN;
 
 /* Allocates and initializes a certificate chain engine, but without creating
  * the root store.  Instead, it uses root, and assumes the caller has done any
diff --git a/dlls/crypt32/tests/cert.c b/dlls/crypt32/tests/cert.c
index a19ef1e..259361c 100644
--- a/dlls/crypt32/tests/cert.c
+++ b/dlls/crypt32/tests/cert.c
@@ -1728,9 +1728,7 @@ static void testGetIssuerCert(void)
     SetLastError(0xdeadbeef);
     flags = 0;
     parent = CertGetIssuerCertificateFromStore(store, cert3, NULL, &flags);
-todo_wine
     ok(!parent, "Expected NULL\n");
-todo_wine
     ok(GetLastError() == CRYPT_E_SELF_SIGNED,
        "Expected CRYPT_E_SELF_SIGNED, got %08X\n", GetLastError());
     CertFreeCertificateContext(child);
@@ -1747,9 +1745,7 @@ todo_wine
     ok(cert1 != NULL, "CertEnumCertificatesInStore should have worked\n");
     SetLastError(0xdeadbeef);
     parent = CertGetIssuerCertificateFromStore(store, cert1, NULL, &flags);
-todo_wine
     ok(!parent, "Expected NULL\n");
-todo_wine
     ok(GetLastError() == CRYPT_E_SELF_SIGNED,
        "Expected CRYPT_E_SELF_SIGNED, got %08X\n", GetLastError());
     CertCloseStore(store, 0);