sync crypt32_winetest with wine 1.1.34
authorChristoph von Wittich <christoph_vw@reactos.org>
Sun, 6 Dec 2009 09:36:50 +0000 (09:36 +0000)
committerChristoph von Wittich <christoph_vw@reactos.org>
Sun, 6 Dec 2009 09:36:50 +0000 (09:36 +0000)
svn path=/trunk/; revision=44432

rostests/winetests/crypt32/cert.c
rostests/winetests/crypt32/chain.c
rostests/winetests/crypt32/crl.c
rostests/winetests/crypt32/encode.c
rostests/winetests/crypt32/protectdata.c

index e1c8262..0566797 100644 (file)
@@ -2541,6 +2541,29 @@ static void testGetValidUsages(void)
     CertFreeCertificateContext(contexts[2]);
 }
 
+static BYTE cn[] = {
+0x30,0x14,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x03,0x13,0x09,0x4a,0x75,
+0x61,0x6e,0x20,0x4c,0x61,0x6e,0x67 };
+static BYTE cnWithLeadingSpace[] = {
+0x30,0x15,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,0x13,0x0a,0x20,0x4a,
+0x75,0x61,0x6e,0x20,0x4c,0x61,0x6e,0x67 };
+static BYTE cnWithTrailingSpace[] = {
+0x30,0x15,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,0x13,0x0a,0x4a,0x75,
+0x61,0x6e,0x20,0x4c,0x61,0x6e,0x67,0x20 };
+static BYTE cnWithIntermediateSpace[] = {
+0x30,0x15,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,0x13,0x0a,0x4a,0x75,
+0x61,0x6e,0x20,0x20,0x4c,0x61,0x6e,0x67 };
+static BYTE cnThenO[] = {
+0x30,0x2d,0x31,0x2b,0x30,0x10,0x06,0x03,0x55,0x04,0x03,0x13,0x09,0x4a,0x75,
+0x61,0x6e,0x20,0x4c,0x61,0x6e,0x67,0x30,0x17,0x06,0x03,0x55,0x04,0x0a,0x13,
+0x10,0x54,0x68,0x65,0x20,0x57,0x69,0x6e,0x65,0x20,0x50,0x72,0x6f,0x6a,0x65,
+0x63,0x74 };
+static BYTE oThenCN[] = {
+0x30,0x2d,0x31,0x2b,0x30,0x10,0x06,0x03,0x55,0x04,0x0a,0x13,0x09,0x4a,0x75,
+0x61,0x6e,0x20,0x4c,0x61,0x6e,0x67,0x30,0x17,0x06,0x03,0x55,0x04,0x03,0x13,
+0x10,0x54,0x68,0x65,0x20,0x57,0x69,0x6e,0x65,0x20,0x50,0x72,0x6f,0x6a,0x65,
+0x63,0x74 };
+
 static void testCompareCertName(void)
 {
     static BYTE bogus[] = { 1, 2, 3, 4 };
@@ -2572,6 +2595,167 @@ static void testCompareCertName(void)
     blob2.cbData = sizeof(emptyPrime);
     ret = CertCompareCertificateName(0, &blob1, &blob2);
     ok(!ret, "Expected failure\n");
+    /* Tests to show that CertCompareCertificateName doesn't decode the name
+     * to remove spaces, or to do an order-independent comparison.
+     */
+    /* Compare CN="Juan Lang" with CN=" Juan Lang" */
+    blob1.pbData = cn;
+    blob1.cbData = sizeof(cn);
+    blob2.pbData = cnWithLeadingSpace;
+    blob2.cbData = sizeof(cnWithLeadingSpace);
+    ret = CertCompareCertificateName(0, &blob1, &blob2);
+    ok(!ret, "Expected failure\n");
+    ret = CertCompareCertificateName(X509_ASN_ENCODING, &blob1, &blob2);
+    ok(!ret, "Expected failure\n");
+    /* Compare CN="Juan Lang" with CN="Juan Lang " */
+    blob2.pbData = cnWithTrailingSpace;
+    blob2.cbData = sizeof(cnWithTrailingSpace);
+    ret = CertCompareCertificateName(0, &blob1, &blob2);
+    ok(!ret, "Expected failure\n");
+    ret = CertCompareCertificateName(X509_ASN_ENCODING, &blob1, &blob2);
+    ok(!ret, "Expected failure\n");
+    /* Compare CN="Juan Lang" with CN="Juan  Lang" */
+    blob2.pbData = cnWithIntermediateSpace;
+    blob2.cbData = sizeof(cnWithIntermediateSpace);
+    ret = CertCompareCertificateName(0, &blob1, &blob2);
+    ok(!ret, "Expected failure\n");
+    ret = CertCompareCertificateName(X509_ASN_ENCODING, &blob1, &blob2);
+    ok(!ret, "Expected failure\n");
+    /* Compare 'CN="Juan Lang", O="The Wine Project"' with
+     * 'O="The Wine Project", CN="Juan Lang"'
+     */
+    blob1.pbData = cnThenO;
+    blob1.cbData = sizeof(cnThenO);
+    blob2.pbData = oThenCN;
+    blob2.cbData = sizeof(oThenCN);
+    ret = CertCompareCertificateName(0, &blob1, &blob2);
+    ok(!ret, "Expected failure\n");
+    ret = CertCompareCertificateName(X509_ASN_ENCODING, &blob1, &blob2);
+    ok(!ret, "Expected failure\n");
+}
+
+static void testIsRDNAttrsInCertificateName(void)
+{
+    static char oid_1_2_3[] = "1.2.3";
+    static char oid_common_name[] = szOID_COMMON_NAME;
+    static char oid_organization[] = szOID_ORGANIZATION_NAME;
+    static char juan[] = "Juan Lang";
+    static char juan_with_leading_space[] = " Juan Lang";
+    static char juan_with_intermediate_space[] = "Juan  Lang";
+    static char juan_with_trailing_space[] = "Juan Lang ";
+    static char juan_lower_case[] = "juan lang";
+    static WCHAR juanW[] = { 'J','u','a','n',' ','L','a','n','g',0 };
+    static char the_wine_project[] = "The Wine Project";
+    BOOL ret;
+    CERT_NAME_BLOB name;
+    CERT_RDN_ATTR attr[2];
+    CERT_RDN rdn = { 0, NULL };
+
+    name.cbData = sizeof(cn);
+    name.pbData = cn;
+    if (0)
+    {
+        /* Crash */
+        ret = CertIsRDNAttrsInCertificateName(0, 0, NULL, NULL);
+        ret = CertIsRDNAttrsInCertificateName(X509_ASN_ENCODING, 0, &name,
+         NULL);
+    }
+    SetLastError(0xdeadbeef);
+    ret = CertIsRDNAttrsInCertificateName(0, 0, &name, NULL);
+    ok(!ret && GetLastError() == ERROR_FILE_NOT_FOUND,
+     "expected ERROR_FILE_NOT_FOUND, got %08x\n", GetLastError());
+    ret = CertIsRDNAttrsInCertificateName(X509_ASN_ENCODING, 0, &name, &rdn);
+    ok(ret, "CertIsRDNAttrsInCertificateName failed: %08x\n", GetLastError());
+    attr[0].pszObjId = oid_1_2_3;
+    rdn.rgRDNAttr = attr;
+    rdn.cRDNAttr = 1;
+    SetLastError(0xdeadbeef);
+    ret = CertIsRDNAttrsInCertificateName(X509_ASN_ENCODING, 0, &name, &rdn);
+    ok(!ret && GetLastError() == CRYPT_E_NO_MATCH,
+     "expected CRYPT_E_NO_MATCH, got %08x\n", GetLastError());
+    attr[0].pszObjId = oid_common_name;
+    attr[0].dwValueType = CERT_RDN_PRINTABLE_STRING;
+    attr[0].Value.cbData = strlen(juan);
+    attr[0].Value.pbData = (BYTE *)juan;
+    ret = CertIsRDNAttrsInCertificateName(X509_ASN_ENCODING, 0, &name, &rdn);
+    ok(ret, "CertIsRDNAttrsInCertificateName failed: %08x\n", GetLastError());
+    /* Again, spaces are not removed for name comparison. */
+    attr[0].Value.cbData = strlen(juan_with_leading_space);
+    attr[0].Value.pbData = (BYTE *)juan_with_leading_space;
+    SetLastError(0xdeadbeef);
+    ret = CertIsRDNAttrsInCertificateName(X509_ASN_ENCODING, 0, &name, &rdn);
+    ok(!ret && GetLastError() == CRYPT_E_NO_MATCH,
+     "expected CRYPT_E_NO_MATCH, got %08x\n", GetLastError());
+    attr[0].Value.cbData = strlen(juan_with_intermediate_space);
+    attr[0].Value.pbData = (BYTE *)juan_with_intermediate_space;
+    SetLastError(0xdeadbeef);
+    ret = CertIsRDNAttrsInCertificateName(X509_ASN_ENCODING, 0, &name, &rdn);
+    ok(!ret && GetLastError() == CRYPT_E_NO_MATCH,
+     "expected CRYPT_E_NO_MATCH, got %08x\n", GetLastError());
+    attr[0].Value.cbData = strlen(juan_with_trailing_space);
+    attr[0].Value.pbData = (BYTE *)juan_with_trailing_space;
+    SetLastError(0xdeadbeef);
+    ret = CertIsRDNAttrsInCertificateName(X509_ASN_ENCODING, 0, &name, &rdn);
+    ok(!ret && GetLastError() == CRYPT_E_NO_MATCH,
+     "expected CRYPT_E_NO_MATCH, got %08x\n", GetLastError());
+    /* The lower case name isn't matched unless a case insensitive match is
+     * specified.
+     */
+    attr[0].Value.cbData = strlen(juan_lower_case);
+    attr[0].Value.pbData = (BYTE *)juan_lower_case;
+    SetLastError(0xdeadbeef);
+    ret = CertIsRDNAttrsInCertificateName(X509_ASN_ENCODING, 0, &name, &rdn);
+    ok(!ret && GetLastError() == CRYPT_E_NO_MATCH,
+     "expected CRYPT_E_NO_MATCH, got %08x\n", GetLastError());
+    ret = CertIsRDNAttrsInCertificateName(X509_ASN_ENCODING,
+     CERT_CASE_INSENSITIVE_IS_RDN_ATTRS_FLAG, &name, &rdn);
+    ok(ret ||
+     broken(!ret && GetLastError() == CRYPT_E_NO_MATCH), /* Older crypt32 */
+     "CertIsRDNAttrsInCertificateName failed: %08x\n", GetLastError());
+    /* The values don't match unless they have the same RDN type */
+    attr[0].dwValueType = CERT_RDN_UNICODE_STRING;
+    attr[0].Value.cbData = lstrlenW(juanW) * sizeof(WCHAR);
+    attr[0].Value.pbData = (BYTE *)juanW;
+    SetLastError(0xdeadbeef);
+    ret = CertIsRDNAttrsInCertificateName(X509_ASN_ENCODING, 0, &name, &rdn);
+    ok(!ret && GetLastError() == CRYPT_E_NO_MATCH,
+     "expected CRYPT_E_NO_MATCH, got %08x\n", GetLastError());
+    SetLastError(0xdeadbeef);
+    ret = CertIsRDNAttrsInCertificateName(X509_ASN_ENCODING,
+     CERT_UNICODE_IS_RDN_ATTRS_FLAG, &name, &rdn);
+    ok(!ret && GetLastError() == CRYPT_E_NO_MATCH,
+     "expected CRYPT_E_NO_MATCH, got %08x\n", GetLastError());
+    attr[0].dwValueType = CERT_RDN_IA5_STRING;
+    attr[0].Value.cbData = strlen(juan);
+    attr[0].Value.pbData = (BYTE *)juan;
+    SetLastError(0xdeadbeef);
+    ret = CertIsRDNAttrsInCertificateName(X509_ASN_ENCODING, 0, &name, &rdn);
+    ok(!ret && GetLastError() == CRYPT_E_NO_MATCH,
+     "expected CRYPT_E_NO_MATCH, got %08x\n", GetLastError());
+    /* All attributes must be present */
+    attr[0].dwValueType = CERT_RDN_PRINTABLE_STRING;
+    attr[0].Value.cbData = strlen(juan);
+    attr[0].Value.pbData = (BYTE *)juan;
+    attr[1].pszObjId = oid_organization;
+    attr[1].dwValueType = CERT_RDN_PRINTABLE_STRING;
+    attr[1].Value.cbData = strlen(the_wine_project);
+    attr[1].Value.pbData = (BYTE *)the_wine_project;
+    rdn.cRDNAttr = 2;
+    SetLastError(0xdeadbeef);
+    ret = CertIsRDNAttrsInCertificateName(X509_ASN_ENCODING, 0, &name, &rdn);
+    ok(!ret && GetLastError() == CRYPT_E_NO_MATCH,
+     "expected CRYPT_E_NO_MATCH, got %08x\n", GetLastError());
+    /* Order also matters */
+    name.pbData = cnThenO;
+    name.cbData = sizeof(cnThenO);
+    ret = CertIsRDNAttrsInCertificateName(X509_ASN_ENCODING, 0, &name, &rdn);
+    ok(ret, "CertIsRDNAttrsInCertificateName failed: %08x\n", GetLastError());
+    name.pbData = oThenCN;
+    name.cbData = sizeof(oThenCN);
+    SetLastError(0xdeadbeef);
+    ret = CertIsRDNAttrsInCertificateName(X509_ASN_ENCODING, 0, &name, &rdn);
+    ok(!ret && GetLastError() == CRYPT_E_NO_MATCH,
+     "expected CRYPT_E_NO_MATCH, got %08x\n", GetLastError());
 }
 
 static BYTE int1[] = { 0x88, 0xff, 0xff, 0xff };
@@ -2880,12 +3064,99 @@ static void testVerifySubjectCert(void)
     CertFreeCertificateContext(context1);
 }
 
+static const BYTE rootWithKeySignAndCRLSign[] = {
+0x30,0x82,0x01,0xdf,0x30,0x82,0x01,0x4c,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,
+0x5b,0xc7,0x0b,0x27,0x99,0xbb,0x2e,0x99,0x47,0x9d,0x45,0x4e,0x7c,0x1a,0xca,
+0xe8,0x30,0x09,0x06,0x05,0x2b,0x0e,0x03,0x02,0x1d,0x05,0x00,0x30,0x10,0x31,
+0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x03,0x13,0x05,0x43,0x65,0x72,0x74,0x31,
+0x30,0x1e,0x17,0x0d,0x30,0x37,0x30,0x31,0x30,0x31,0x30,0x30,0x30,0x30,0x30,
+0x30,0x5a,0x17,0x0d,0x30,0x37,0x31,0x32,0x33,0x31,0x32,0x33,0x35,0x39,0x35,
+0x39,0x5a,0x30,0x10,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x03,0x13,0x05,
+0x43,0x65,0x72,0x74,0x31,0x30,0x81,0x9f,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,
+0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x81,0x8d,0x00,0x30,0x81,0x89,
+0x02,0x81,0x81,0x00,0xad,0x7e,0xca,0xf3,0xe5,0x99,0xc2,0x2a,0xca,0x50,0x82,
+0x7c,0x2d,0xa4,0x81,0xcd,0x0d,0x0d,0x86,0xd7,0xd8,0xb2,0xde,0xc5,0xc3,0x34,
+0x9e,0x07,0x78,0x08,0x11,0x12,0x2d,0x21,0x0a,0x09,0x07,0x14,0x03,0x7a,0xe7,
+0x3b,0x58,0xf1,0xde,0x3e,0x01,0x25,0x93,0xab,0x8f,0xce,0x1f,0xc1,0x33,0x91,
+0xfe,0x59,0xb9,0x3b,0x9e,0x95,0x12,0x89,0x8e,0xc3,0x4b,0x98,0x1b,0x99,0xc5,
+0x07,0xe2,0xdf,0x15,0x4c,0x39,0x76,0x06,0xad,0xdb,0x16,0x06,0x49,0xba,0xcd,
+0x0f,0x07,0xd6,0xea,0x27,0xa6,0xfe,0x3d,0x88,0xe5,0x97,0x45,0x72,0xb6,0x1c,
+0xc0,0x1c,0xb1,0xa2,0x89,0xe8,0x37,0x9e,0xf6,0x2a,0xcf,0xd5,0x1f,0x2f,0x35,
+0x5e,0x8f,0x3a,0x9c,0x61,0xb1,0xf1,0x6c,0xff,0x8c,0xb2,0x2f,0x02,0x03,0x01,
+0x00,0x01,0xa3,0x42,0x30,0x40,0x30,0x0e,0x06,0x03,0x55,0x1d,0x0f,0x01,0x01,
+0xff,0x04,0x04,0x03,0x02,0x00,0x06,0x30,0x0f,0x06,0x03,0x55,0x1d,0x13,0x01,
+0x01,0xff,0x04,0x05,0x30,0x03,0x01,0x01,0xff,0x30,0x1d,0x06,0x03,0x55,0x1d,
+0x0e,0x04,0x16,0x04,0x14,0x14,0x8c,0x16,0xbb,0xbe,0x70,0xa2,0x28,0x89,0xa0,
+0x58,0xff,0x98,0xbd,0xa8,0x24,0x2b,0x8a,0xe9,0x9a,0x30,0x09,0x06,0x05,0x2b,
+0x0e,0x03,0x02,0x1d,0x05,0x00,0x03,0x81,0x81,0x00,0x74,0xcb,0x21,0xfd,0x2d,
+0x25,0xdc,0xa5,0xaa,0xa1,0x26,0xdc,0x8b,0x40,0x11,0x64,0xae,0x5c,0x71,0x3c,
+0x28,0xbc,0xf9,0xb3,0xcb,0xa5,0x94,0xb2,0x8d,0x4c,0x23,0x2b,0x9b,0xde,0x2c,
+0x4c,0x30,0x04,0xc6,0x88,0x10,0x2f,0x53,0xfd,0x6c,0x82,0xf1,0x13,0xfb,0xda,
+0x27,0x75,0x25,0x48,0xe4,0x72,0x09,0x2a,0xee,0xb4,0x1e,0xc9,0x55,0xf5,0xf7,
+0x82,0x91,0xd8,0x4b,0xe4,0x3a,0xfe,0x97,0x87,0xdf,0xfb,0x15,0x5a,0x12,0x3e,
+0x12,0xe6,0xad,0x40,0x0b,0xcf,0xee,0x1a,0x44,0xe0,0x83,0xb2,0x67,0x94,0xd4,
+0x2e,0x7c,0xf2,0x06,0x9d,0xb3,0x3b,0x7e,0x2f,0xda,0x25,0x66,0x7e,0xa7,0x1f,
+0x45,0xd4,0xf5,0xe3,0xdf,0x2a,0xf1,0x18,0x28,0x20,0xb5,0xf8,0xf5,0x8d,0x7a,
+0x2e,0x84,0xee };
+static const BYTE eeCert[] = {
+0x30,0x82,0x01,0xb9,0x30,0x82,0x01,0x22,0xa0,0x03,0x02,0x01,0x02,0x02,0x01,
+0x01,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,
+0x00,0x30,0x10,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x03,0x13,0x05,0x43,
+0x65,0x72,0x74,0x31,0x30,0x1e,0x17,0x0d,0x30,0x37,0x30,0x35,0x30,0x31,0x30,
+0x30,0x30,0x30,0x30,0x30,0x5a,0x17,0x0d,0x30,0x37,0x31,0x30,0x30,0x31,0x30,
+0x30,0x30,0x30,0x30,0x30,0x5a,0x30,0x10,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,
+0x04,0x03,0x13,0x05,0x43,0x65,0x72,0x74,0x32,0x30,0x81,0x9f,0x30,0x0d,0x06,
+0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x81,0x8d,
+0x00,0x30,0x81,0x89,0x02,0x81,0x81,0x00,0xb8,0x52,0xda,0xc5,0x4b,0x3f,0xe5,
+0x33,0x0e,0x67,0x5f,0x48,0x21,0xdc,0x7e,0xef,0x37,0x33,0xba,0xff,0xb4,0xc6,
+0xdc,0xb6,0x17,0x8e,0x20,0x55,0x07,0x12,0xd2,0x7b,0x3c,0xce,0x30,0xc5,0xa7,
+0x48,0x9f,0x6e,0xfe,0xb8,0xbe,0xdb,0x9f,0x9b,0x17,0x60,0x16,0xde,0xc6,0x8b,
+0x47,0xd1,0x57,0x71,0x3c,0x93,0xfc,0xbd,0xec,0x44,0x32,0x3b,0xb9,0xcf,0x6b,
+0x05,0x72,0xa7,0x87,0x8e,0x7e,0xd4,0x9a,0x87,0x1c,0x2f,0xb7,0x82,0x40,0xfc,
+0x6a,0x80,0x83,0x68,0x28,0xce,0x84,0xf4,0x0b,0x2e,0x44,0xcb,0x53,0xac,0x85,
+0x85,0xb5,0x46,0x36,0x98,0x3c,0x10,0x02,0xaa,0x02,0xbc,0x8b,0xa2,0x23,0xb2,
+0xd3,0x51,0x9a,0x22,0x4a,0xe3,0xaa,0x4e,0x7c,0xda,0x38,0xcf,0x49,0x98,0x72,
+0xa3,0x02,0x03,0x01,0x00,0x01,0xa3,0x23,0x30,0x21,0x30,0x1f,0x06,0x03,0x55,
+0x1d,0x23,0x04,0x18,0x30,0x18,0x80,0x14,0x14,0x8c,0x16,0xbb,0xbe,0x70,0xa2,
+0x28,0x89,0xa0,0x58,0xff,0x98,0xbd,0xa8,0x24,0x2b,0x8a,0xe9,0x9a,0x30,0x0d,
+0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x81,
+0x81,0x00,0x8a,0x49,0xa9,0x86,0x5e,0xc9,0x33,0x7e,0xfd,0xab,0x64,0x1f,0x6d,
+0x00,0xd7,0x9b,0xec,0xd1,0x5b,0x38,0xcc,0xd6,0xf3,0xf2,0xb4,0x75,0x70,0x00,
+0x82,0x9d,0x37,0x58,0xe1,0xcd,0x2c,0x61,0xb3,0x28,0xe7,0x8a,0x00,0xbe,0x6e,
+0xca,0xe8,0x55,0xd5,0xad,0x3a,0xea,0xaf,0x13,0x20,0x1c,0x44,0xfc,0xb4,0xf9,
+0x29,0x2b,0xdc,0x8a,0x2d,0x1b,0x27,0x9e,0xb9,0x3b,0x4a,0x71,0x9d,0x47,0x7d,
+0xf7,0x92,0x6b,0x21,0x7f,0xfa,0x88,0x79,0x94,0x33,0xf6,0xdd,0x92,0x04,0x92,
+0xd6,0x5e,0x0a,0x74,0xf2,0x85,0xa6,0xd5,0x3c,0x28,0xc0,0x89,0x5d,0xda,0xf3,
+0xa6,0x01,0xc2,0xe9,0xa3,0xc1,0xb7,0x21,0x08,0xba,0x18,0x07,0x45,0xeb,0x77,
+0x7d,0xcd,0xc6,0xe7,0x2a,0x7b,0x46,0xd2,0x3d,0xb5 };
+static const BYTE rootSignedCRL[] = {
+0x30,0x82,0x01,0x1f,0x30,0x81,0x89,0x02,0x01,0x01,0x30,0x0d,0x06,0x09,0x2a,
+0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x10,0x31,0x0e,0x30,
+0x0c,0x06,0x03,0x55,0x04,0x03,0x13,0x05,0x43,0x65,0x72,0x74,0x31,0x17,0x0d,
+0x30,0x37,0x30,0x39,0x30,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x5a,0x17,0x0d,
+0x30,0x37,0x31,0x32,0x33,0x31,0x32,0x33,0x35,0x39,0x35,0x39,0x5a,0x30,0x14,
+0x30,0x12,0x02,0x01,0x01,0x17,0x0d,0x30,0x37,0x30,0x39,0x30,0x31,0x30,0x30,
+0x30,0x30,0x30,0x30,0x5a,0xa0,0x2f,0x30,0x2d,0x30,0x0a,0x06,0x03,0x55,0x1d,
+0x14,0x04,0x03,0x02,0x01,0x01,0x30,0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,0x18,
+0x30,0x18,0x80,0x14,0x14,0x8c,0x16,0xbb,0xbe,0x70,0xa2,0x28,0x89,0xa0,0x58,
+0xff,0x98,0xbd,0xa8,0x24,0x2b,0x8a,0xe9,0x9a,0x30,0x0d,0x06,0x09,0x2a,0x86,
+0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x81,0x81,0x00,0xa3,0xcf,
+0x17,0x5d,0x7a,0x08,0xab,0x11,0x1a,0xbd,0x5c,0xde,0x9a,0x22,0x92,0x38,0xe6,
+0x96,0xcc,0xb1,0xc5,0x42,0x86,0xa6,0xae,0xad,0xa3,0x1a,0x2b,0xa0,0xb0,0x65,
+0xaa,0x9c,0xd7,0x2d,0x44,0x8c,0xae,0x61,0xc7,0x30,0x17,0x89,0x84,0x3b,0x4a,
+0x8f,0x17,0x08,0x06,0x37,0x1c,0xf7,0x2d,0x4e,0x47,0x07,0x61,0x50,0xd9,0x06,
+0xd1,0x46,0xed,0x0a,0xbb,0xc3,0x9b,0x36,0x0b,0xa7,0x27,0x2f,0x2b,0x55,0xce,
+0x2a,0xa5,0x60,0xc6,0x53,0x28,0xe8,0xee,0xad,0x0e,0x2b,0xe8,0xd7,0x5f,0xc9,
+0xa5,0xed,0xf9,0x77,0xb0,0x3c,0x81,0xcf,0xcc,0x49,0xb2,0x1a,0xc3,0xfd,0x34,
+0xd5,0xbc,0xb0,0xd5,0xa5,0x9c,0x1b,0x72,0xc3,0x0f,0xa3,0xe3,0x3c,0xf0,0xc3,
+0x91,0xe8,0x93,0x4f,0xd4,0x2f };
+
 static void testVerifyRevocation(void)
 {
     BOOL ret;
     CERT_REVOCATION_STATUS status = { 0 };
-    PCCERT_CONTEXT cert = CertCreateCertificateContext(X509_ASN_ENCODING,
-     bigCert, sizeof(bigCert));
+    PCCERT_CONTEXT certs[2];
+    CERT_REVOCATION_PARA revPara = { sizeof(revPara), 0 };
 
     /* Crash
     ret = CertVerifyRevocation(0, 0, 0, NULL, 0, NULL, NULL);
@@ -2901,16 +3172,103 @@ static void testVerifyRevocation(void)
     ok(ret, "CertVerifyRevocation failed: %08x\n", GetLastError());
     ret = CertVerifyRevocation(2, 0, 0, NULL, 0, NULL, &status);
     ok(ret, "CertVerifyRevocation failed: %08x\n", GetLastError());
+    certs[0] = CertCreateCertificateContext(X509_ASN_ENCODING, bigCert,
+     sizeof(bigCert));
     SetLastError(0xdeadbeef);
-    ret = CertVerifyRevocation(0, 0, 1, (void **)&cert, 0, NULL, &status);
+    ret = CertVerifyRevocation(0, 0, 1, (void **)certs, 0, NULL, &status);
     ok(!ret && GetLastError() == CRYPT_E_NO_REVOCATION_DLL,
      "Expected CRYPT_E_NO_REVOCATION_DLL, got %08x\n", GetLastError());
     SetLastError(0xdeadbeef);
-    ret = CertVerifyRevocation(0, 2, 1, (void **)&cert, 0, NULL, &status);
+    ret = CertVerifyRevocation(0, 2, 1, (void **)certs, 0, NULL, &status);
     ok(!ret && GetLastError() == CRYPT_E_NO_REVOCATION_DLL,
      "Expected CRYPT_E_NO_REVOCATION_DLL, got %08x\n", GetLastError());
 
-    CertFreeCertificateContext(cert);
+    CertFreeCertificateContext(certs[0]);
+
+    certs[0] = CertCreateCertificateContext(X509_ASN_ENCODING,
+     rootWithKeySignAndCRLSign, sizeof(rootWithKeySignAndCRLSign));
+    certs[1] = CertCreateCertificateContext(X509_ASN_ENCODING,
+     eeCert, sizeof(eeCert));
+    /* The root cert itself can't be checked for revocation */
+    SetLastError(0xdeadbeef);
+    ret = CertVerifyRevocation(X509_ASN_ENCODING, CERT_CONTEXT_REVOCATION_TYPE,
+     1, (void **)certs, 0, NULL, &status);
+    ok(!ret && GetLastError() == CRYPT_E_NO_REVOCATION_CHECK,
+     "expected CRYPT_E_NO_REVOCATION_CHECK, got %08x\n", GetLastError());
+    ok(status.dwError == CRYPT_E_NO_REVOCATION_CHECK,
+     "expected CRYPT_E_NO_REVOCATION_CHECK, got %08x\n", status.dwError);
+    ok(status.dwIndex == 0, "expected index 0, got %d\n", status.dwIndex);
+    /* Neither can the end cert */
+    SetLastError(0xdeadbeef);
+    ret = CertVerifyRevocation(X509_ASN_ENCODING, CERT_CONTEXT_REVOCATION_TYPE,
+     1, (void **)&certs[1], 0, NULL, &status);
+    ok(!ret && (GetLastError() == CRYPT_E_NO_REVOCATION_CHECK /* Win9x */ ||
+     GetLastError() == CRYPT_E_REVOCATION_OFFLINE),
+     "expected CRYPT_E_NO_REVOCATION_CHECK or CRYPT_E_REVOCATION_OFFLINE, got %08x\n",
+     GetLastError());
+    ok(status.dwError == CRYPT_E_NO_REVOCATION_CHECK /* Win9x */ ||
+     status.dwError == CRYPT_E_REVOCATION_OFFLINE,
+     "expected CRYPT_E_NO_REVOCATION_CHECK or CRYPT_E_REVOCATION_OFFLINE, got %08x\n",
+     status.dwError);
+    ok(status.dwIndex == 0, "expected index 0, got %d\n", status.dwIndex);
+    /* Both certs together can't, either (they're not CRLs) */
+    SetLastError(0xdeadbeef);
+    ret = CertVerifyRevocation(X509_ASN_ENCODING, CERT_CONTEXT_REVOCATION_TYPE,
+     2, (void **)certs, 0, NULL, &status);
+    ok(!ret && (GetLastError() == CRYPT_E_NO_REVOCATION_CHECK ||
+     GetLastError() == CRYPT_E_REVOCATION_OFFLINE /* WinME */),
+     "expected CRYPT_E_NO_REVOCATION_CHECK or CRYPT_E_REVOCATION_OFFLINE, got %08x\n",
+     GetLastError());
+    ok(status.dwError == CRYPT_E_NO_REVOCATION_CHECK ||
+     status.dwError == CRYPT_E_REVOCATION_OFFLINE /* WinME */,
+     "expected CRYPT_E_NO_REVOCATION_CHECK or CRYPT_E_REVOCATION_OFFLINE, got %08x\n",
+     status.dwError);
+    ok(status.dwIndex == 0, "expected index 0, got %d\n", status.dwIndex);
+    ok(status.dwIndex == 0, "expected index 0, got %d\n", status.dwIndex);
+    /* Now add a CRL to the hCrlStore */
+    revPara.hCrlStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0,
+     CERT_STORE_CREATE_NEW_FLAG, NULL);
+    CertAddEncodedCRLToStore(revPara.hCrlStore, X509_ASN_ENCODING,
+     rootSignedCRL, sizeof(rootSignedCRL), CERT_STORE_ADD_ALWAYS, NULL);
+    SetLastError(0xdeadbeef);
+    ret = CertVerifyRevocation(X509_ASN_ENCODING, CERT_CONTEXT_REVOCATION_TYPE,
+     2, (void **)certs, 0, &revPara, &status);
+    ok(!ret && (GetLastError() == CRYPT_E_NO_REVOCATION_CHECK ||
+     GetLastError() == CRYPT_E_REVOCATION_OFFLINE /* WinME */),
+     "expected CRYPT_E_NO_REVOCATION_CHECK or CRYPT_E_REVOCATION_OFFLINE, got %08x\n",
+     GetLastError());
+    ok(status.dwError == CRYPT_E_NO_REVOCATION_CHECK ||
+     status.dwError == CRYPT_E_REVOCATION_OFFLINE /* WinME */,
+     "expected CRYPT_E_NO_REVOCATION_CHECK or CRYPT_E_REVOCATION_OFFLINE, got %08x\n",
+     status.dwError);
+    ok(status.dwIndex == 0, "expected index 0, got %d\n", status.dwIndex);
+    /* Specifying CERT_VERIFY_REV_CHAIN_FLAG doesn't change things either */
+    SetLastError(0xdeadbeef);
+    ret = CertVerifyRevocation(X509_ASN_ENCODING, CERT_CONTEXT_REVOCATION_TYPE,
+     2, (void **)certs, CERT_VERIFY_REV_CHAIN_FLAG, &revPara, &status);
+    ok(!ret && GetLastError() == CRYPT_E_NO_REVOCATION_CHECK,
+     "expected CRYPT_E_NO_REVOCATION_CHECK, got %08x\n", GetLastError());
+    ok(status.dwError == CRYPT_E_NO_REVOCATION_CHECK,
+     "expected CRYPT_E_NO_REVOCATION_CHECK, got %08x\n", status.dwError);
+    ok(status.dwIndex == 0, "expected index 0, got %d\n", status.dwIndex);
+    /* Again, specifying the issuer cert: no change */
+    revPara.pIssuerCert = certs[0];
+    SetLastError(0xdeadbeef);
+    ret = CertVerifyRevocation(X509_ASN_ENCODING, CERT_CONTEXT_REVOCATION_TYPE,
+     1, (void **)&certs[1], 0, &revPara, &status);
+    /* Win2k thinks the cert is revoked, and it is, except the CRL is out of
+     * date, hence the revocation status should be unknown.
+     */
+    ok(!ret && (GetLastError() == CRYPT_E_NO_REVOCATION_CHECK ||
+     broken(GetLastError() == CRYPT_E_REVOKED /* Win2k */)),
+     "expected CRYPT_E_NO_REVOCATION_CHECK, got %08x\n", GetLastError());
+    ok(status.dwError == CRYPT_E_NO_REVOCATION_CHECK ||
+     broken(status.dwError == CRYPT_E_REVOKED /* Win2k */),
+     "expected CRYPT_E_NO_REVOCATION_CHECK, got %08x\n", status.dwError);
+    ok(status.dwIndex == 0, "expected index 0, got %d\n", status.dwIndex);
+    CertCloseStore(revPara.hCrlStore, 0);
+    CertFreeCertificateContext(certs[1]);
+    CertFreeCertificateContext(certs[0]);
 }
 
 static BYTE privKey[] = {
@@ -3283,4 +3641,5 @@ START_TEST(cert)
     testVerifyRevocation();
     testAcquireCertPrivateKey();
     testGetPublicKeyLength();
+    testIsRDNAttrsInCertificateName();
 }
index be3a0bd..4192e11 100644 (file)
@@ -2927,7 +2927,8 @@ static CONST_DATA_BLOB chain19[] = {
 static const CERT_TRUST_STATUS elementStatus19[] = {
  { CERT_TRUST_NO_ERROR, CERT_TRUST_HAS_NAME_MATCH_ISSUER },
  { CERT_TRUST_IS_UNTRUSTED_ROOT,
-   CERT_TRUST_IS_SELF_SIGNED | CERT_TRUST_HAS_NAME_MATCH_ISSUER },
+   CERT_TRUST_IS_SELF_SIGNED | CERT_TRUST_HAS_NAME_MATCH_ISSUER |
+   CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS },
 };
 static const SimpleChainStatusCheck simpleStatus19[] = {
  { sizeof(elementStatus19) / sizeof(elementStatus19[0]), elementStatus19 },
@@ -2951,7 +2952,8 @@ static CONST_DATA_BLOB chain21[] = {
 static const CERT_TRUST_STATUS elementStatus21[] = {
  { CERT_TRUST_NO_ERROR, CERT_TRUST_HAS_NAME_MATCH_ISSUER },
  { CERT_TRUST_IS_UNTRUSTED_ROOT,
-   CERT_TRUST_IS_SELF_SIGNED | CERT_TRUST_HAS_NAME_MATCH_ISSUER },
+   CERT_TRUST_IS_SELF_SIGNED | CERT_TRUST_HAS_NAME_MATCH_ISSUER |
+   CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS },
 };
 static const SimpleChainStatusCheck simpleStatus21[] = {
  { sizeof(elementStatus21) / sizeof(elementStatus21[0]), elementStatus21 },
@@ -3257,7 +3259,7 @@ static ChainCheck chainCheck[] = {
        CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT,
        CERT_TRUST_HAS_PREFERRED_ISSUER | CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS
      },
-     { CERT_TRUST_IS_UNTRUSTED_ROOT, 0 },
+     { CERT_TRUST_IS_UNTRUSTED_ROOT, CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS },
      1, simpleStatus19 },
    0 },
  /* Older versions of crypt32 do not set
@@ -3278,7 +3280,7 @@ static ChainCheck chainCheck[] = {
        CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT,
        CERT_TRUST_HAS_PREFERRED_ISSUER | CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS
      },
-     { CERT_TRUST_IS_UNTRUSTED_ROOT, 0 },
+     { CERT_TRUST_IS_UNTRUSTED_ROOT, CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS },
      1, simpleStatus21 },
    0 },
  { { sizeof(chain22) / sizeof(chain22[0]), chain22 },
@@ -3405,8 +3407,9 @@ static ChainCheck chainCheckEmbeddedNullBroken = {
  { sizeof(chain27) / sizeof(chain27[0]), chain27 },
  { { CERT_TRUST_IS_NOT_TIME_NESTED | CERT_TRUST_IS_NOT_VALID_FOR_USAGE |
      CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT,
-     CERT_TRUST_HAS_PREFERRED_ISSUER },
-   { CERT_TRUST_IS_UNTRUSTED_ROOT, CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS },
+     CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS | CERT_TRUST_HAS_PREFERRED_ISSUER },
+   { CERT_TRUST_IS_UNTRUSTED_ROOT | CERT_TRUST_HAS_NOT_DEFINED_NAME_CONSTRAINT,
+     CERT_TRUST_HAS_VALID_NAME_CONSTRAINTS },
    1, simpleStatus27Broken },
  0 };
 
@@ -3421,7 +3424,12 @@ static void testGetCertChain(void)
     PCCERT_CONTEXT cert;
     CERT_CHAIN_PARA para = { 0 };
     PCCERT_CHAIN_CONTEXT chain;
+    FILETIME fileTime;
     DWORD i;
+    HCERTSTORE store;
+    static char one_two_three[] = "1.2.3";
+    static char oid_server_auth[] = szOID_PKIX_KP_SERVER_AUTH;
+    LPSTR oids[2];
 
     /* Basic parameter checks */
     if (0)
@@ -3481,6 +3489,68 @@ static void testGetCertChain(void)
 
     CertFreeCertificateContext(cert);
 
+    /* Test usage match with Google's cert */
+    store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0,
+     CERT_STORE_CREATE_NEW_FLAG, NULL);
+    CertAddEncodedCertificateToStore(store, X509_ASN_ENCODING,
+     verisignCA, sizeof(verisignCA), CERT_STORE_ADD_ALWAYS, NULL);
+    CertAddEncodedCertificateToStore(store, X509_ASN_ENCODING,
+     thawte_sgc_ca, sizeof(thawte_sgc_ca), CERT_STORE_ADD_ALWAYS, NULL);
+    cert = CertCreateCertificateContext(X509_ASN_ENCODING,
+     google, sizeof(google));
+    SystemTimeToFileTime(&oct2009, &fileTime);
+    memset(&para, 0, sizeof(para));
+    para.cbSize = sizeof(para);
+    oids[0] = one_two_three;
+    para.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
+    para.RequestedUsage.Usage.rgpszUsageIdentifier = oids;
+    para.RequestedUsage.Usage.cUsageIdentifier = 1;
+    ret = pCertGetCertificateChain(NULL, cert, &fileTime, store, &para,
+     0, NULL, &chain);
+    ok(ret, "CertGetCertificateChain failed: %08x\n", GetLastError());
+    if (ret)
+    {
+        ok(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_NOT_VALID_FOR_USAGE,
+         "expected CERT_TRUST_IS_NOT_VALID_FOR_USAGE\n");
+        CertFreeCertificateChain(chain);
+    }
+    oids[0] = oid_server_auth;
+    ret = pCertGetCertificateChain(NULL, cert, &fileTime, store, &para,
+     0, NULL, &chain);
+    ok(ret, "CertGetCertificateChain failed: %08x\n", GetLastError());
+    if (ret)
+    {
+        ok(!(chain->TrustStatus.dwErrorStatus &
+         CERT_TRUST_IS_NOT_VALID_FOR_USAGE),
+         "didn't expect CERT_TRUST_IS_NOT_VALID_FOR_USAGE\n");
+        CertFreeCertificateChain(chain);
+    }
+    oids[1] = one_two_three;
+    para.RequestedUsage.Usage.cUsageIdentifier = 2;
+    para.RequestedUsage.dwType = USAGE_MATCH_TYPE_AND;
+    ret = pCertGetCertificateChain(NULL, cert, &fileTime, store, &para,
+     0, NULL, &chain);
+    ok(ret, "CertGetCertificateChain failed: %08x\n", GetLastError());
+    if (ret)
+    {
+        ok(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_NOT_VALID_FOR_USAGE,
+         "expected CERT_TRUST_IS_NOT_VALID_FOR_USAGE\n");
+        CertFreeCertificateChain(chain);
+    }
+    para.RequestedUsage.dwType = USAGE_MATCH_TYPE_OR;
+    ret = pCertGetCertificateChain(NULL, cert, &fileTime, store, &para,
+     0, NULL, &chain);
+    ok(ret, "CertGetCertificateChain failed: %08x\n", GetLastError());
+    if (ret)
+    {
+        ok(!(chain->TrustStatus.dwErrorStatus &
+         CERT_TRUST_IS_NOT_VALID_FOR_USAGE),
+         "didn't expect CERT_TRUST_IS_NOT_VALID_FOR_USAGE\n");
+        CertFreeCertificateChain(chain);
+    }
+    CertCloseStore(store, 0);
+    CertFreeCertificateContext(cert);
+
     for (i = 0; i < sizeof(chainCheck) / sizeof(chainCheck[0]); i++)
     {
         chain = getChain(&chainCheck[i].certs, 0, TRUE, &oct2007,
@@ -3510,8 +3580,10 @@ static void testGetCertChain(void)
     {
         ok(chain->TrustStatus.dwErrorStatus ==
          chainCheckEmbeddedNull.status.status.dwErrorStatus ||
-         broken(chain->TrustStatus.dwErrorStatus ==
-         chainCheckEmbeddedNullBroken.status.status.dwErrorStatus),
+         broken((chain->TrustStatus.dwErrorStatus &
+         ~chainCheckEmbeddedNullBroken.status.statusToIgnore.dwErrorStatus) ==
+         (chainCheckEmbeddedNullBroken.status.status.dwErrorStatus &
+         ~chainCheckEmbeddedNullBroken.status.statusToIgnore.dwErrorStatus)),
          "unexpected chain error status %08x\n",
          chain->TrustStatus.dwErrorStatus);
         if (chainCheckEmbeddedNull.status.status.dwErrorStatus ==
index 1b8cb18..bb62219 100644 (file)
@@ -223,12 +223,188 @@ static void testAddCRL(void)
     CertCloseStore(store, 0);
 }
 
+static const BYTE v1CRLWithIssuerAndEntry[] = { 0x30, 0x44, 0x30, 0x02, 0x06,
+ 0x00, 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
+ 0x0a, 0x4a, 0x75, 0x61, 0x6e, 0x20, 0x4c, 0x61, 0x6e, 0x67, 0x00, 0x18, 0x0f,
+ 0x31, 0x36, 0x30, 0x31, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30,
+ 0x30, 0x5a, 0x30, 0x16, 0x30, 0x14, 0x02, 0x01, 0x01, 0x18, 0x0f, 0x31, 0x36,
+ 0x30, 0x31, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a };
+static const BYTE v2CRLWithIssuingDistPoint[] = {
+0x30,0x70,0x02,0x01,0x01,0x30,0x02,0x06,0x00,0x30,0x15,0x31,0x13,0x30,0x11,
+0x06,0x03,0x55,0x04,0x03,0x13,0x0a,0x4a,0x75,0x61,0x6e,0x20,0x4c,0x61,0x6e,
+0x67,0x00,0x18,0x0f,0x31,0x36,0x30,0x31,0x30,0x31,0x30,0x31,0x30,0x30,0x30,
+0x30,0x30,0x30,0x5a,0x30,0x16,0x30,0x14,0x02,0x01,0x01,0x18,0x0f,0x31,0x36,
+0x30,0x31,0x30,0x31,0x30,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x5a,0xa0,0x27,
+0x30,0x25,0x30,0x23,0x06,0x03,0x55,0x1d,0x1c,0x01,0x01,0xff,0x04,0x19,0x30,
+0x17,0xa0,0x15,0xa0,0x13,0x86,0x11,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,
+0x69,0x6e,0x65,0x68,0x71,0x2e,0x6f,0x72,0x67 };
+static const BYTE verisignCRL[] = { 0x30, 0x82, 0x01, 0xb1, 0x30, 0x82, 0x01,
+ 0x1a, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
+ 0x0d, 0x01, 0x01, 0x02, 0x05, 0x00, 0x30, 0x61, 0x31, 0x11, 0x30, 0x0f, 0x06,
+ 0x03, 0x55, 0x04, 0x07, 0x13, 0x08, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65,
+ 0x74, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x56,
+ 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
+ 0x31, 0x33, 0x30, 0x31, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x2a, 0x56, 0x65,
+ 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x43, 0x6f, 0x6d, 0x6d, 0x65, 0x72,
+ 0x63, 0x69, 0x61, 0x6c, 0x20, 0x53, 0x6f, 0x66, 0x74, 0x77, 0x61, 0x72, 0x65,
+ 0x20, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x73, 0x68, 0x65, 0x72, 0x73, 0x20, 0x43,
+ 0x41, 0x17, 0x0d, 0x30, 0x31, 0x30, 0x33, 0x32, 0x34, 0x30, 0x30, 0x30, 0x30,
+ 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x30, 0x34, 0x30, 0x31, 0x30, 0x37, 0x32, 0x33,
+ 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x69, 0x30, 0x21, 0x02, 0x10, 0x1b, 0x51,
+ 0x90, 0xf7, 0x37, 0x24, 0x39, 0x9c, 0x92, 0x54, 0xcd, 0x42, 0x46, 0x37, 0x99,
+ 0x6a, 0x17, 0x0d, 0x30, 0x31, 0x30, 0x31, 0x33, 0x30, 0x30, 0x30, 0x30, 0x31,
+ 0x32, 0x34, 0x5a, 0x30, 0x21, 0x02, 0x10, 0x75, 0x0e, 0x40, 0xff, 0x97, 0xf0,
+ 0x47, 0xed, 0xf5, 0x56, 0xc7, 0x08, 0x4e, 0xb1, 0xab, 0xfd, 0x17, 0x0d, 0x30,
+ 0x31, 0x30, 0x31, 0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x34, 0x39, 0x5a, 0x30,
+ 0x21, 0x02, 0x10, 0x77, 0xe6, 0x5a, 0x43, 0x59, 0x93, 0x5d, 0x5f, 0x7a, 0x75,
+ 0x80, 0x1a, 0xcd, 0xad, 0xc2, 0x22, 0x17, 0x0d, 0x30, 0x30, 0x30, 0x38, 0x33,
+ 0x31, 0x30, 0x30, 0x30, 0x30, 0x35, 0x36, 0x5a, 0xa0, 0x1a, 0x30, 0x18, 0x30,
+ 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0b, 0x06,
+ 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x05, 0xa0, 0x30, 0x0d, 0x06,
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x02, 0x05, 0x00, 0x03,
+ 0x81, 0x81, 0x00, 0x18, 0x2c, 0xe8, 0xfc, 0x16, 0x6d, 0x91, 0x4a, 0x3d, 0x88,
+ 0x54, 0x48, 0x5d, 0xb8, 0x11, 0xbf, 0x64, 0xbb, 0xf9, 0xda, 0x59, 0x19, 0xdd,
+ 0x0e, 0x65, 0xab, 0xc0, 0x0c, 0xfa, 0x67, 0x7e, 0x21, 0x1e, 0x83, 0x0e, 0xcf,
+ 0x9b, 0x89, 0x8a, 0xcf, 0x0c, 0x4b, 0xc1, 0x39, 0x9d, 0xe7, 0x6a, 0xac, 0x46,
+ 0x74, 0x6a, 0x91, 0x62, 0x22, 0x0d, 0xc4, 0x08, 0xbd, 0xf5, 0x0a, 0x90, 0x7f,
+ 0x06, 0x21, 0x3d, 0x7e, 0xa7, 0xaa, 0x5e, 0xcd, 0x22, 0x15, 0xe6, 0x0c, 0x75,
+ 0x8e, 0x6e, 0xad, 0xf1, 0x84, 0xe4, 0x22, 0xb4, 0x30, 0x6f, 0xfb, 0x64, 0x8f,
+ 0xd7, 0x80, 0x43, 0xf5, 0x19, 0x18, 0x66, 0x1d, 0x72, 0xa3, 0xe3, 0x94, 0x82,
+ 0x28, 0x52, 0xa0, 0x06, 0x4e, 0xb1, 0xc8, 0x92, 0x0c, 0x97, 0xbe, 0x15, 0x07,
+ 0xab, 0x7a, 0xc9, 0xea, 0x08, 0x67, 0x43, 0x4d, 0x51, 0x63, 0x3b, 0x9c, 0x9c,
+ 0xcd };
+static const BYTE verisignCommercialSoftPubCA[] = {
+0x30,0x82,0x02,0x40,0x30,0x82,0x01,0xa9,0x02,0x10,0x03,0xc7,0x8f,0x37,0xdb,0x92,
+0x28,0xdf,0x3c,0xbb,0x1a,0xad,0x82,0xfa,0x67,0x10,0x30,0x0d,0x06,0x09,0x2a,0x86,
+0x48,0x86,0xf7,0x0d,0x01,0x01,0x02,0x05,0x00,0x30,0x61,0x31,0x11,0x30,0x0f,0x06,
+0x03,0x55,0x04,0x07,0x13,0x08,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,0x74,0x31,0x17,
+0x30,0x15,0x06,0x03,0x55,0x04,0x0a,0x13,0x0e,0x56,0x65,0x72,0x69,0x53,0x69,0x67,
+0x6e,0x2c,0x20,0x49,0x6e,0x63,0x2e,0x31,0x33,0x30,0x31,0x06,0x03,0x55,0x04,0x0b,
+0x13,0x2a,0x56,0x65,0x72,0x69,0x53,0x69,0x67,0x6e,0x20,0x43,0x6f,0x6d,0x6d,0x65,
+0x72,0x63,0x69,0x61,0x6c,0x20,0x53,0x6f,0x66,0x74,0x77,0x61,0x72,0x65,0x20,0x50,
+0x75,0x62,0x6c,0x69,0x73,0x68,0x65,0x72,0x73,0x20,0x43,0x41,0x30,0x1e,0x17,0x0d,
+0x39,0x36,0x30,0x34,0x30,0x39,0x30,0x30,0x30,0x30,0x30,0x30,0x5a,0x17,0x0d,0x30,
+0x34,0x30,0x31,0x30,0x37,0x32,0x33,0x35,0x39,0x35,0x39,0x5a,0x30,0x61,0x31,0x11,
+0x30,0x0f,0x06,0x03,0x55,0x04,0x07,0x13,0x08,0x49,0x6e,0x74,0x65,0x72,0x6e,0x65,
+0x74,0x31,0x17,0x30,0x15,0x06,0x03,0x55,0x04,0x0a,0x13,0x0e,0x56,0x65,0x72,0x69,
+0x53,0x69,0x67,0x6e,0x2c,0x20,0x49,0x6e,0x63,0x2e,0x31,0x33,0x30,0x31,0x06,0x03,
+0x55,0x04,0x0b,0x13,0x2a,0x56,0x65,0x72,0x69,0x53,0x69,0x67,0x6e,0x20,0x43,0x6f,
+0x6d,0x6d,0x65,0x72,0x63,0x69,0x61,0x6c,0x20,0x53,0x6f,0x66,0x74,0x77,0x61,0x72,
+0x65,0x20,0x50,0x75,0x62,0x6c,0x69,0x73,0x68,0x65,0x72,0x73,0x20,0x43,0x41,0x30,
+0x81,0x9f,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,
+0x00,0x03,0x81,0x8d,0x00,0x30,0x81,0x89,0x02,0x81,0x81,0x00,0xc3,0xd3,0x69,0x65,
+0x52,0x01,0x94,0x54,0xab,0x28,0xc6,0x62,0x18,0xb3,0x54,0x55,0xc5,0x44,0x87,0x45,
+0x4a,0x3b,0xc2,0x7e,0xd8,0xd3,0xd7,0xc8,0x80,0x86,0x8d,0xd8,0x0c,0xf1,0x16,0x9c,
+0xcc,0x6b,0xa9,0x29,0xb2,0x8f,0x76,0x73,0x92,0xc8,0xc5,0x62,0xa6,0x3c,0xed,0x1e,
+0x05,0x75,0xf0,0x13,0x00,0x6c,0x14,0x4d,0xd4,0x98,0x90,0x07,0xbe,0x69,0x73,0x81,
+0xb8,0x62,0x4e,0x31,0x1e,0xd1,0xfc,0xc9,0x0c,0xeb,0x7d,0x90,0xbf,0xae,0xb4,0x47,
+0x51,0xec,0x6f,0xce,0x64,0x35,0x02,0xd6,0x7d,0x67,0x05,0x77,0xe2,0x8f,0xd9,0x51,
+0xd7,0xfb,0x97,0x19,0xbc,0x3e,0xd7,0x77,0x81,0xc6,0x43,0xdd,0xf2,0xdd,0xdf,0xca,
+0xa3,0x83,0x8b,0xcb,0x41,0xc1,0x3d,0x22,0x48,0x48,0xa6,0x19,0x02,0x03,0x01,0x00,
+0x01,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x02,0x05,0x00,
+0x03,0x81,0x81,0x00,0xb5,0xbc,0xb0,0x75,0x6a,0x89,0xa2,0x86,0xbd,0x64,0x78,0xc3,
+0xa7,0x32,0x75,0x72,0x11,0xaa,0x26,0x02,0x17,0x60,0x30,0x4c,0xe3,0x48,0x34,0x19,
+0xb9,0x52,0x4a,0x51,0x18,0x80,0xfe,0x53,0x2d,0x7b,0xd5,0x31,0x8c,0xc5,0x65,0x99,
+0x41,0x41,0x2f,0xf2,0xae,0x63,0x7a,0xe8,0x73,0x99,0x15,0x90,0x1a,0x1f,0x7a,0x8b,
+0x41,0xd0,0x8e,0x3a,0xd0,0xcd,0x38,0x34,0x44,0xd0,0x75,0xf8,0xea,0x71,0xc4,0x81,
+0x19,0x38,0x17,0x35,0x4a,0xae,0xc5,0x3e,0x32,0xe6,0x21,0xb8,0x05,0xc0,0x93,0xe1,
+0xc7,0x38,0x5c,0xd8,0xf7,0x93,0x38,0x64,0x90,0xed,0x54,0xce,0xca,0xd3,0xd3,0xd0,
+0x5f,0xef,0x04,0x9b,0xde,0x02,0x82,0xdd,0x88,0x29,0xb1,0xc3,0x4f,0xa5,0xcd,0x71,
+0x64,0x31,0x3c,0x3c
+};
+static const BYTE rootWithKeySignAndCRLSign[] = {
+0x30,0x82,0x01,0xdf,0x30,0x82,0x01,0x4c,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,
+0x5b,0xc7,0x0b,0x27,0x99,0xbb,0x2e,0x99,0x47,0x9d,0x45,0x4e,0x7c,0x1a,0xca,
+0xe8,0x30,0x09,0x06,0x05,0x2b,0x0e,0x03,0x02,0x1d,0x05,0x00,0x30,0x10,0x31,
+0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x03,0x13,0x05,0x43,0x65,0x72,0x74,0x31,
+0x30,0x1e,0x17,0x0d,0x30,0x37,0x30,0x31,0x30,0x31,0x30,0x30,0x30,0x30,0x30,
+0x30,0x5a,0x17,0x0d,0x30,0x37,0x31,0x32,0x33,0x31,0x32,0x33,0x35,0x39,0x35,
+0x39,0x5a,0x30,0x10,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x03,0x13,0x05,
+0x43,0x65,0x72,0x74,0x31,0x30,0x81,0x9f,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,
+0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x81,0x8d,0x00,0x30,0x81,0x89,
+0x02,0x81,0x81,0x00,0xad,0x7e,0xca,0xf3,0xe5,0x99,0xc2,0x2a,0xca,0x50,0x82,
+0x7c,0x2d,0xa4,0x81,0xcd,0x0d,0x0d,0x86,0xd7,0xd8,0xb2,0xde,0xc5,0xc3,0x34,
+0x9e,0x07,0x78,0x08,0x11,0x12,0x2d,0x21,0x0a,0x09,0x07,0x14,0x03,0x7a,0xe7,
+0x3b,0x58,0xf1,0xde,0x3e,0x01,0x25,0x93,0xab,0x8f,0xce,0x1f,0xc1,0x33,0x91,
+0xfe,0x59,0xb9,0x3b,0x9e,0x95,0x12,0x89,0x8e,0xc3,0x4b,0x98,0x1b,0x99,0xc5,
+0x07,0xe2,0xdf,0x15,0x4c,0x39,0x76,0x06,0xad,0xdb,0x16,0x06,0x49,0xba,0xcd,
+0x0f,0x07,0xd6,0xea,0x27,0xa6,0xfe,0x3d,0x88,0xe5,0x97,0x45,0x72,0xb6,0x1c,
+0xc0,0x1c,0xb1,0xa2,0x89,0xe8,0x37,0x9e,0xf6,0x2a,0xcf,0xd5,0x1f,0x2f,0x35,
+0x5e,0x8f,0x3a,0x9c,0x61,0xb1,0xf1,0x6c,0xff,0x8c,0xb2,0x2f,0x02,0x03,0x01,
+0x00,0x01,0xa3,0x42,0x30,0x40,0x30,0x0e,0x06,0x03,0x55,0x1d,0x0f,0x01,0x01,
+0xff,0x04,0x04,0x03,0x02,0x00,0x06,0x30,0x0f,0x06,0x03,0x55,0x1d,0x13,0x01,
+0x01,0xff,0x04,0x05,0x30,0x03,0x01,0x01,0xff,0x30,0x1d,0x06,0x03,0x55,0x1d,
+0x0e,0x04,0x16,0x04,0x14,0x14,0x8c,0x16,0xbb,0xbe,0x70,0xa2,0x28,0x89,0xa0,
+0x58,0xff,0x98,0xbd,0xa8,0x24,0x2b,0x8a,0xe9,0x9a,0x30,0x09,0x06,0x05,0x2b,
+0x0e,0x03,0x02,0x1d,0x05,0x00,0x03,0x81,0x81,0x00,0x74,0xcb,0x21,0xfd,0x2d,
+0x25,0xdc,0xa5,0xaa,0xa1,0x26,0xdc,0x8b,0x40,0x11,0x64,0xae,0x5c,0x71,0x3c,
+0x28,0xbc,0xf9,0xb3,0xcb,0xa5,0x94,0xb2,0x8d,0x4c,0x23,0x2b,0x9b,0xde,0x2c,
+0x4c,0x30,0x04,0xc6,0x88,0x10,0x2f,0x53,0xfd,0x6c,0x82,0xf1,0x13,0xfb,0xda,
+0x27,0x75,0x25,0x48,0xe4,0x72,0x09,0x2a,0xee,0xb4,0x1e,0xc9,0x55,0xf5,0xf7,
+0x82,0x91,0xd8,0x4b,0xe4,0x3a,0xfe,0x97,0x87,0xdf,0xfb,0x15,0x5a,0x12,0x3e,
+0x12,0xe6,0xad,0x40,0x0b,0xcf,0xee,0x1a,0x44,0xe0,0x83,0xb2,0x67,0x94,0xd4,
+0x2e,0x7c,0xf2,0x06,0x9d,0xb3,0x3b,0x7e,0x2f,0xda,0x25,0x66,0x7e,0xa7,0x1f,
+0x45,0xd4,0xf5,0xe3,0xdf,0x2a,0xf1,0x18,0x28,0x20,0xb5,0xf8,0xf5,0x8d,0x7a,
+0x2e,0x84,0xee };
+static const BYTE eeCert[] = {
+0x30,0x82,0x01,0x93,0x30,0x81,0xfd,0xa0,0x03,0x02,0x01,0x02,0x02,0x01,0x01,
+0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,
+0x30,0x10,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,0x03,0x13,0x05,0x43,0x65,
+0x72,0x74,0x31,0x30,0x1e,0x17,0x0d,0x30,0x37,0x30,0x35,0x30,0x31,0x30,0x30,
+0x30,0x30,0x30,0x30,0x5a,0x17,0x0d,0x30,0x37,0x31,0x30,0x30,0x31,0x30,0x30,
+0x30,0x30,0x30,0x30,0x5a,0x30,0x10,0x31,0x0e,0x30,0x0c,0x06,0x03,0x55,0x04,
+0x03,0x13,0x05,0x43,0x65,0x72,0x74,0x32,0x30,0x81,0x9f,0x30,0x0d,0x06,0x09,
+0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x81,0x8d,0x00,
+0x30,0x81,0x89,0x02,0x81,0x81,0x00,0xb8,0x52,0xda,0xc5,0x4b,0x3f,0xe5,0x33,
+0x0e,0x67,0x5f,0x48,0x21,0xdc,0x7e,0xef,0x37,0x33,0xba,0xff,0xb4,0xc6,0xdc,
+0xb6,0x17,0x8e,0x20,0x55,0x07,0x12,0xd2,0x7b,0x3c,0xce,0x30,0xc5,0xa7,0x48,
+0x9f,0x6e,0xfe,0xb8,0xbe,0xdb,0x9f,0x9b,0x17,0x60,0x16,0xde,0xc6,0x8b,0x47,
+0xd1,0x57,0x71,0x3c,0x93,0xfc,0xbd,0xec,0x44,0x32,0x3b,0xb9,0xcf,0x6b,0x05,
+0x72,0xa7,0x87,0x8e,0x7e,0xd4,0x9a,0x87,0x1c,0x2f,0xb7,0x82,0x40,0xfc,0x6a,
+0x80,0x83,0x68,0x28,0xce,0x84,0xf4,0x0b,0x2e,0x44,0xcb,0x53,0xac,0x85,0x85,
+0xb5,0x46,0x36,0x98,0x3c,0x10,0x02,0xaa,0x02,0xbc,0x8b,0xa2,0x23,0xb2,0xd3,
+0x51,0x9a,0x22,0x4a,0xe3,0xaa,0x4e,0x7c,0xda,0x38,0xcf,0x49,0x98,0x72,0xa3,
+0x02,0x03,0x01,0x00,0x01,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,
+0x01,0x01,0x05,0x05,0x00,0x03,0x81,0x81,0x00,0x22,0xf1,0x66,0x00,0x79,0xd2,
+0xe6,0xb2,0xb2,0xf7,0x2f,0x98,0x92,0x7d,0x73,0xc3,0x6c,0x5c,0x77,0x20,0xe3,
+0xbf,0x3e,0xe0,0xb3,0x5c,0x68,0xb4,0x9b,0x3a,0x41,0xae,0x94,0xa0,0x80,0x3a,
+0xfe,0x5d,0x7a,0x56,0x87,0x85,0x44,0x45,0xcf,0xa6,0xd3,0x10,0xe7,0x73,0x41,
+0xf2,0x7f,0x88,0x85,0x91,0x8e,0xe6,0xec,0xe2,0xce,0x08,0xbc,0xa5,0x76,0xe5,
+0x4d,0x1d,0xb7,0x70,0x31,0xdd,0xc9,0x9a,0x15,0x32,0x11,0x5a,0x4e,0x62,0xc8,
+0xd1,0xf8,0xec,0x46,0x39,0x5b,0xe7,0x67,0x1f,0x58,0xe8,0xa1,0xa0,0x5b,0xf7,
+0x8a,0x6d,0x5f,0x91,0x18,0xd4,0x90,0x85,0xff,0x30,0xc7,0xca,0x9c,0xc6,0x92,
+0xb0,0xca,0x16,0xc4,0xa4,0xc0,0xd6,0xe8,0xff,0x15,0x19,0xd1,0x30,0x61,0xf3,
+0xef,0x9f };
+static const BYTE rootSignedCRL[] = {
+0x30,0x82,0x01,0x1d,0x30,0x81,0x87,0x02,0x01,0x01,0x30,0x0d,0x06,0x09,0x2a,
+0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x10,0x31,0x0e,0x30,
+0x0c,0x06,0x03,0x55,0x04,0x03,0x13,0x05,0x43,0x65,0x72,0x74,0x31,0x17,0x0d,
+0x30,0x37,0x30,0x39,0x30,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x5a,0x17,0x0d,
+0x30,0x37,0x31,0x32,0x33,0x31,0x32,0x33,0x35,0x39,0x35,0x39,0x5a,0x30,0x14,
+0x30,0x12,0x02,0x01,0x01,0x17,0x0d,0x30,0x37,0x30,0x39,0x30,0x31,0x30,0x30,
+0x30,0x30,0x30,0x30,0x5a,0xa0,0x2d,0x30,0x2b,0x30,0x0a,0x06,0x03,0x55,0x1d,
+0x14,0x04,0x03,0x02,0x01,0x01,0x30,0x1d,0x06,0x03,0x55,0x1d,0x23,0x04,0x16,
+0x04,0x14,0x14,0x8c,0x16,0xbb,0xbe,0x70,0xa2,0x28,0x89,0xa0,0x58,0xff,0x98,
+0xbd,0xa8,0x24,0x2b,0x8a,0xe9,0x9a,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,
+0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x81,0x81,0x00,0x9b,0x2b,0x99,0x0d,
+0x16,0x83,0x93,0x54,0x29,0x3a,0xa6,0x53,0x5d,0xf8,0xa6,0x73,0x9f,0x2a,0x45,
+0x39,0x91,0xff,0x91,0x1c,0x27,0x06,0xe8,0xdb,0x72,0x3f,0x66,0x89,0x15,0x68,
+0x55,0xd5,0x49,0x63,0xa6,0x00,0xe9,0x66,0x9c,0x97,0xf9,0xb3,0xb3,0x2b,0x1b,
+0xc7,0x79,0x46,0xa8,0xd8,0x2b,0x78,0x27,0xa0,0x70,0x02,0x81,0xc6,0x40,0xb3,
+0x76,0x32,0x65,0x4c,0xf8,0xff,0x1d,0x41,0x6e,0x16,0x09,0xa2,0x8a,0x7b,0x0c,
+0xd0,0xa6,0x9b,0x61,0xa3,0x7c,0x02,0x91,0x79,0xdf,0x6a,0x5e,0x88,0x95,0x66,
+0x33,0x17,0xcb,0x5a,0xd2,0xdc,0x89,0x05,0x62,0x97,0x60,0x73,0x7b,0x2c,0x1a,
+0x90,0x20,0x73,0x24,0x9f,0x45,0x22,0x4b,0xc1,0x33,0xd1,0xda,0xd8,0x7e,0x1b,
+0x3d,0x74,0xd6,0x3b };
+
 static void testFindCRL(void)
 {
     HCERTSTORE store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0,
      CERT_STORE_CREATE_NEW_FLAG, NULL);
     PCCRL_CONTEXT context;
-    PCCERT_CONTEXT cert;
+    PCCERT_CONTEXT cert, endCert, rootCert;
+    CRL_FIND_ISSUED_FOR_PARA issuedForPara = { NULL, NULL };
+    DWORD count, revoked_count;
     BOOL ret;
 
     if (!store) return;
@@ -286,8 +462,289 @@ static void testFindCRL(void)
     ok(context != NULL, "Expected a context\n");
     if (context)
         CertFreeCRLContext(context);
+
+    /* Try various find flags */
+    context = pCertFindCRLInStore(store, 0, CRL_FIND_ISSUED_BY_SIGNATURE_FLAG,
+     CRL_FIND_ISSUED_BY, cert, NULL);
+    ok(!context || broken(context != NULL /* Win9x */), "unexpected context\n");
+    /* The CRL doesn't have an AKI extension, so it matches any cert */
+    context = pCertFindCRLInStore(store, 0, CRL_FIND_ISSUED_BY_AKI_FLAG,
+     CRL_FIND_ISSUED_BY, cert, NULL);
+    ok(context != NULL, "Expected a context\n");
+    if (context)
+        CertFreeCRLContext(context);
+
+    if (0)
+    {
+        /* Crash or return NULL/STATUS_ACCESS_VIOLATION */
+        context = pCertFindCRLInStore(store, 0, 0, CRL_FIND_ISSUED_FOR, NULL,
+         NULL);
+        context = pCertFindCRLInStore(store, 0, 0, CRL_FIND_ISSUED_FOR,
+         &issuedForPara, NULL);
+    }
+    /* Test whether the cert matches the CRL in the store */
+    issuedForPara.pSubjectCert = cert;
+    issuedForPara.pIssuerCert = cert;
+    context = pCertFindCRLInStore(store, 0, 0, CRL_FIND_ISSUED_FOR,
+     &issuedForPara, NULL);
+    ok(context != NULL || broken(!context /* Win9x, NT4 */),
+     "Expected a context\n");
+    if (context)
+    {
+        ok(context->cbCrlEncoded == sizeof(signedCRL),
+         "unexpected CRL size %d\n", context->cbCrlEncoded);
+        ok(!memcmp(context->pbCrlEncoded, signedCRL, context->cbCrlEncoded),
+         "unexpected CRL data\n");
+        CertFreeCRLContext(context);
+    }
+
+    ret = CertAddEncodedCRLToStore(store, X509_ASN_ENCODING,
+     v1CRLWithIssuerAndEntry, sizeof(v1CRLWithIssuerAndEntry),
+     CERT_STORE_ADD_ALWAYS, NULL);
+    ok(ret, "CertAddEncodedCRLToStore failed: %08x\n", GetLastError());
+    ret = CertAddEncodedCRLToStore(store, X509_ASN_ENCODING,
+     v2CRLWithIssuingDistPoint, sizeof(v2CRLWithIssuingDistPoint),
+     CERT_STORE_ADD_ALWAYS, NULL);
+    ok(ret, "CertAddEncodedCRLToStore failed: %08x\n", GetLastError());
+    ret = CertAddEncodedCRLToStore(store, X509_ASN_ENCODING,
+     verisignCRL, sizeof(verisignCRL), CERT_STORE_ADD_ALWAYS, NULL);
+    ok(ret, "CertAddEncodedCRLToStore failed: %08x\n", GetLastError());
+    issuedForPara.pSubjectCert = cert;
+    issuedForPara.pIssuerCert = cert;
+    context = NULL;
+    count = revoked_count = 0;
+    do {
+        context = pCertFindCRLInStore(store, 0, 0, CRL_FIND_ISSUED_FOR,
+         &issuedForPara, context);
+        if (context)
+        {
+            PCRL_ENTRY entry;
+
+            count++;
+            if (CertFindCertificateInCRL(cert, context, 0, NULL, &entry) &&
+             entry)
+                revoked_count++;
+        }
+    } while (context);
+    /* signedCRL, v1CRLWithIssuerAndEntry, and v2CRLWithIssuingDistPoint all
+     * match cert's issuer, but verisignCRL does not, so the expected count
+     * is 0.
+     */
+    ok(count == 3 || broken(count == 0 /* NT4, Win9x */),
+     "expected 3 matching CRLs, got %d\n", count);
+    /* Only v1CRLWithIssuerAndEntry and v2CRLWithIssuingDistPoint contain
+     * entries, so the count of CRL entries that match cert is 2.
+     */
+    ok(revoked_count == 2 || broken(revoked_count == 0 /* NT4, Win9x */),
+     "expected 2 matching CRL entries, got %d\n", revoked_count);
+
     CertFreeCertificateContext(cert);
 
+    /* Try again with a cert that doesn't match any CRLs in the store */
+    cert = CertCreateCertificateContext(X509_ASN_ENCODING,
+     bigCertWithDifferentIssuer, sizeof(bigCertWithDifferentIssuer));
+    ok(cert != NULL, "CertCreateCertificateContext failed: %08x\n",
+     GetLastError());
+    issuedForPara.pSubjectCert = cert;
+    issuedForPara.pIssuerCert = cert;
+    context = NULL;
+    count = revoked_count = 0;
+    do {
+        context = pCertFindCRLInStore(store, 0, 0, CRL_FIND_ISSUED_FOR,
+         &issuedForPara, context);
+        if (context)
+        {
+            PCRL_ENTRY entry;
+
+            count++;
+            if (CertFindCertificateInCRL(cert, context, 0, NULL, &entry) &&
+             entry)
+                revoked_count++;
+        }
+    } while (context);
+    ok(count == 0, "expected 0 matching CRLs, got %d\n", count);
+    ok(revoked_count == 0, "expected 0 matching CRL entries, got %d\n",
+     revoked_count);
+    CertFreeCertificateContext(cert);
+
+    /* Test again with a real certificate and CRL.  The certificate wasn't
+     * revoked, but its issuer does have a CRL.
+     */
+    cert = CertCreateCertificateContext(X509_ASN_ENCODING,
+     verisignCommercialSoftPubCA, sizeof(verisignCommercialSoftPubCA));
+    ok(cert != NULL, "CertCreateCertificateContext failed: %08x\n",
+     GetLastError());
+    issuedForPara.pIssuerCert = cert;
+    issuedForPara.pSubjectCert = cert;
+    context = NULL;
+    count = revoked_count = 0;
+    do {
+        context = pCertFindCRLInStore(store, 0, 0, CRL_FIND_ISSUED_FOR,
+         &issuedForPara, context);
+        if (context)
+        {
+            PCRL_ENTRY entry;
+
+            count++;
+            if (CertFindCertificateInCRL(cert, context, 0, NULL, &entry) &&
+             entry)
+                revoked_count++;
+        }
+    } while (context);
+    ok(count == 1 || broken(count == 0 /* Win9x, NT4 */),
+     "expected 1 matching CRLs, got %d\n", count);
+    ok(revoked_count == 0, "expected 0 matching CRL entries, got %d\n",
+     revoked_count);
+    CertFreeCertificateContext(cert);
+
+    CertCloseStore(store, 0);
+
+    /* This test uses a synthesized chain (rootWithKeySignAndCRLSign ->
+     * eeCert) whose end certificate is in the CRL.
+     */
+    store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0,
+     CERT_STORE_CREATE_NEW_FLAG, NULL);
+    /* Add a CRL for the end certificate */
+    CertAddEncodedCRLToStore(store, X509_ASN_ENCODING,
+     rootSignedCRL, sizeof(rootSignedCRL), CERT_STORE_ADD_ALWAYS, NULL);
+    /* Add another CRL unrelated to the tested chain */
+    CertAddEncodedCRLToStore(store, X509_ASN_ENCODING,
+     verisignCRL, sizeof(verisignCRL), CERT_STORE_ADD_ALWAYS, NULL);
+    endCert = CertCreateCertificateContext(X509_ASN_ENCODING,
+     eeCert, sizeof(eeCert));
+    rootCert = CertCreateCertificateContext(X509_ASN_ENCODING,
+     rootWithKeySignAndCRLSign, sizeof(rootWithKeySignAndCRLSign));
+    issuedForPara.pSubjectCert = endCert;
+    issuedForPara.pIssuerCert = rootCert;
+    context = NULL;
+    count = revoked_count = 0;
+    do {
+        context = pCertFindCRLInStore(store, 0, 0, CRL_FIND_ISSUED_FOR,
+         &issuedForPara, context);
+        if (context)
+        {
+            PCRL_ENTRY entry;
+
+            count++;
+            if (CertFindCertificateInCRL(endCert, context, 0, NULL, &entry) &&
+             entry)
+                revoked_count++;
+        }
+    } while (context);
+    ok(count == 1 || broken(count == 0 /* Win9x, NT4 */),
+     "expected 1 matching CRLs, got %d\n", count);
+    ok(revoked_count == 1 || broken(revoked_count == 0 /* Win9x, NT4 */),
+     "expected 1 matching CRL entries, got %d\n", revoked_count);
+
+    /* Test CRL_FIND_ISSUED_BY flags */
+    count = revoked_count = 0;
+    do {
+        context = pCertFindCRLInStore(store, 0, 0, CRL_FIND_ISSUED_BY,
+         endCert, context);
+        if (context)
+        {
+            PCRL_ENTRY entry;
+
+            count++;
+            if (CertFindCertificateInCRL(endCert, context, 0, NULL, &entry) &&
+             entry)
+                revoked_count++;
+        }
+    } while (context);
+    ok(count == 0, "expected 0 matching CRLs, got %d\n", count);
+    ok(revoked_count == 0, "expected 0 matching CRL entries, got %d\n",
+     revoked_count);
+    count = revoked_count = 0;
+    do {
+        context = pCertFindCRLInStore(store, 0, 0, CRL_FIND_ISSUED_BY,
+         rootCert, context);
+        if (context)
+        {
+            PCRL_ENTRY entry;
+
+            count++;
+            if (CertFindCertificateInCRL(endCert, context, 0, NULL, &entry) &&
+             entry)
+                revoked_count++;
+        }
+    } while (context);
+    ok(count == 1, "expected 1 matching CRLs, got %d\n", count);
+    ok(revoked_count == 1, "expected 1 matching CRL entries, got %d\n",
+     revoked_count);
+    count = revoked_count = 0;
+    do {
+        context = pCertFindCRLInStore(store, 0, CRL_FIND_ISSUED_BY_AKI_FLAG,
+         CRL_FIND_ISSUED_BY, endCert, context);
+        if (context)
+        {
+            PCRL_ENTRY entry;
+
+            count++;
+            if (CertFindCertificateInCRL(endCert, context, 0, NULL, &entry) &&
+             entry)
+                revoked_count++;
+        }
+    } while (context);
+    ok(count == 0, "expected 0 matching CRLs, got %d\n", count);
+    ok(revoked_count == 0, "expected 0 matching CRL entries, got %d\n",
+     revoked_count);
+    count = revoked_count = 0;
+    do {
+        context = pCertFindCRLInStore(store, 0, CRL_FIND_ISSUED_BY_AKI_FLAG,
+         CRL_FIND_ISSUED_BY, rootCert, context);
+        if (context)
+        {
+            PCRL_ENTRY entry;
+
+            count++;
+            if (CertFindCertificateInCRL(rootCert, context, 0, NULL, &entry) &&
+             entry)
+                revoked_count++;
+        }
+    } while (context);
+    ok(count == 0 || broken(count == 1 /* Win9x */),
+     "expected 0 matching CRLs, got %d\n", count);
+    ok(revoked_count == 0, "expected 0 matching CRL entries, got %d\n",
+     revoked_count);
+    count = revoked_count = 0;
+    do {
+        context = pCertFindCRLInStore(store, 0,
+         CRL_FIND_ISSUED_BY_SIGNATURE_FLAG, CRL_FIND_ISSUED_BY, endCert,
+         context);
+        if (context)
+        {
+            PCRL_ENTRY entry;
+
+            count++;
+            if (CertFindCertificateInCRL(endCert, context, 0, NULL, &entry) &&
+             entry)
+                revoked_count++;
+        }
+    } while (context);
+    ok(count == 0, "expected 0 matching CRLs, got %d\n", count);
+    ok(revoked_count == 0, "expected 0 matching CRL entries, got %d\n",
+     revoked_count);
+    count = revoked_count = 0;
+    do {
+        context = pCertFindCRLInStore(store, 0,
+         CRL_FIND_ISSUED_BY_SIGNATURE_FLAG, CRL_FIND_ISSUED_BY, rootCert,
+         context);
+        if (context)
+        {
+            PCRL_ENTRY entry;
+
+            count++;
+            if (CertFindCertificateInCRL(endCert, context, 0, NULL, &entry) &&
+             entry)
+                revoked_count++;
+        }
+    } while (context);
+    ok(count == 1, "expected 1 matching CRLs, got %d\n", count);
+    ok(revoked_count == 1, "expected 1 matching CRL entries, got %d\n",
+     revoked_count);
+    CertFreeCertificateContext(rootCert);
+    CertFreeCertificateContext(endCert);
+
     CertCloseStore(store, 0);
 }
 
@@ -475,59 +932,24 @@ static void testCRLProperties(void)
     }
 }
 
-static const BYTE v1CRLWithIssuerAndEntry[] = { 0x30, 0x44, 0x30, 0x02, 0x06,
- 0x00, 0x30, 0x15, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
- 0x0a, 0x4a, 0x75, 0x61, 0x6e, 0x20, 0x4c, 0x61, 0x6e, 0x67, 0x00, 0x18, 0x0f,
- 0x31, 0x36, 0x30, 0x31, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30,
- 0x30, 0x5a, 0x30, 0x16, 0x30, 0x14, 0x02, 0x01, 0x01, 0x18, 0x0f, 0x31, 0x36,
- 0x30, 0x31, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a };
-static const BYTE v2CRLWithIssuingDistPoint[] = { 0x30,0x5c,0x02,0x01,0x01,
- 0x30,0x02,0x06,0x00,0x30,0x15,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,
- 0x13,0x0a,0x4a,0x75,0x61,0x6e,0x20,0x4c,0x61,0x6e,0x67,0x00,0x18,0x0f,0x31,
- 0x36,0x30,0x31,0x30,0x31,0x30,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x5a,0x30,
- 0x16,0x30,0x14,0x02,0x01,0x01,0x18,0x0f,0x31,0x36,0x30,0x31,0x30,0x31,0x30,
- 0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x5a,0xa0,0x13,0x30,0x11,0x30,0x0f,0x06,
- 0x03,0x55,0x1d,0x13,0x04,0x08,0x30,0x06,0x01,0x01,0xff,0x02,0x01,0x01 };
-static const BYTE verisignCRL[] = { 0x30, 0x82, 0x01, 0xb1, 0x30, 0x82, 0x01,
- 0x1a, 0x02, 0x01, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
- 0x0d, 0x01, 0x01, 0x02, 0x05, 0x00, 0x30, 0x61, 0x31, 0x11, 0x30, 0x0f, 0x06,
- 0x03, 0x55, 0x04, 0x07, 0x13, 0x08, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65,
- 0x74, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x56,
- 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e,
- 0x31, 0x33, 0x30, 0x31, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x2a, 0x56, 0x65,
- 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x43, 0x6f, 0x6d, 0x6d, 0x65, 0x72,
- 0x63, 0x69, 0x61, 0x6c, 0x20, 0x53, 0x6f, 0x66, 0x74, 0x77, 0x61, 0x72, 0x65,
- 0x20, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x73, 0x68, 0x65, 0x72, 0x73, 0x20, 0x43,
- 0x41, 0x17, 0x0d, 0x30, 0x31, 0x30, 0x33, 0x32, 0x34, 0x30, 0x30, 0x30, 0x30,
- 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x30, 0x34, 0x30, 0x31, 0x30, 0x37, 0x32, 0x33,
- 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x69, 0x30, 0x21, 0x02, 0x10, 0x1b, 0x51,
- 0x90, 0xf7, 0x37, 0x24, 0x39, 0x9c, 0x92, 0x54, 0xcd, 0x42, 0x46, 0x37, 0x99,
- 0x6a, 0x17, 0x0d, 0x30, 0x31, 0x30, 0x31, 0x33, 0x30, 0x30, 0x30, 0x30, 0x31,
- 0x32, 0x34, 0x5a, 0x30, 0x21, 0x02, 0x10, 0x75, 0x0e, 0x40, 0xff, 0x97, 0xf0,
- 0x47, 0xed, 0xf5, 0x56, 0xc7, 0x08, 0x4e, 0xb1, 0xab, 0xfd, 0x17, 0x0d, 0x30,
- 0x31, 0x30, 0x31, 0x33, 0x31, 0x30, 0x30, 0x30, 0x30, 0x34, 0x39, 0x5a, 0x30,
- 0x21, 0x02, 0x10, 0x77, 0xe6, 0x5a, 0x43, 0x59, 0x93, 0x5d, 0x5f, 0x7a, 0x75,
- 0x80, 0x1a, 0xcd, 0xad, 0xc2, 0x22, 0x17, 0x0d, 0x30, 0x30, 0x30, 0x38, 0x33,
- 0x31, 0x30, 0x30, 0x30, 0x30, 0x35, 0x36, 0x5a, 0xa0, 0x1a, 0x30, 0x18, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0b, 0x06,
- 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x05, 0xa0, 0x30, 0x0d, 0x06,
- 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x02, 0x05, 0x00, 0x03,
- 0x81, 0x81, 0x00, 0x18, 0x2c, 0xe8, 0xfc, 0x16, 0x6d, 0x91, 0x4a, 0x3d, 0x88,
- 0x54, 0x48, 0x5d, 0xb8, 0x11, 0xbf, 0x64, 0xbb, 0xf9, 0xda, 0x59, 0x19, 0xdd,
- 0x0e, 0x65, 0xab, 0xc0, 0x0c, 0xfa, 0x67, 0x7e, 0x21, 0x1e, 0x83, 0x0e, 0xcf,
- 0x9b, 0x89, 0x8a, 0xcf, 0x0c, 0x4b, 0xc1, 0x39, 0x9d, 0xe7, 0x6a, 0xac, 0x46,
- 0x74, 0x6a, 0x91, 0x62, 0x22, 0x0d, 0xc4, 0x08, 0xbd, 0xf5, 0x0a, 0x90, 0x7f,
- 0x06, 0x21, 0x3d, 0x7e, 0xa7, 0xaa, 0x5e, 0xcd, 0x22, 0x15, 0xe6, 0x0c, 0x75,
- 0x8e, 0x6e, 0xad, 0xf1, 0x84, 0xe4, 0x22, 0xb4, 0x30, 0x6f, 0xfb, 0x64, 0x8f,
- 0xd7, 0x80, 0x43, 0xf5, 0x19, 0x18, 0x66, 0x1d, 0x72, 0xa3, 0xe3, 0x94, 0x82,
- 0x28, 0x52, 0xa0, 0x06, 0x4e, 0xb1, 0xc8, 0x92, 0x0c, 0x97, 0xbe, 0x15, 0x07,
- 0xab, 0x7a, 0xc9, 0xea, 0x08, 0x67, 0x43, 0x4d, 0x51, 0x63, 0x3b, 0x9c, 0x9c,
- 0xcd };
+static const BYTE bigCertWithCRLDistPoints[] = {
+0x30,0x81,0xa5,0x02,0x01,0x01,0x30,0x02,0x06,0x00,0x30,0x15,0x31,0x13,0x30,
+0x11,0x06,0x03,0x55,0x04,0x03,0x13,0x0a,0x4a,0x75,0x61,0x6e,0x20,0x4c,0x61,
+0x6e,0x67,0x00,0x30,0x22,0x18,0x0f,0x31,0x36,0x30,0x31,0x30,0x31,0x30,0x31,
+0x30,0x30,0x30,0x30,0x30,0x30,0x5a,0x18,0x0f,0x31,0x36,0x30,0x31,0x30,0x31,
+0x30,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x5a,0x30,0x15,0x31,0x13,0x30,0x11,
+0x06,0x03,0x55,0x04,0x03,0x13,0x0a,0x4a,0x75,0x61,0x6e,0x20,0x4c,0x61,0x6e,
+0x67,0x00,0x30,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,
+0x01,0x01,0x05,0x00,0x03,0x11,0x00,0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
+0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f,0xa3,0x26,0x30,0x24,0x30,0x22,0x06,
+0x03,0x55,0x1d,0x1f,0x04,0x1b,0x30,0x19,0x30,0x17,0xa0,0x15,0xa0,0x13,0x86,
+0x11,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x77,0x69,0x6e,0x65,0x68,0x71,0x2e,
+0x6f,0x72,0x67 };
 
 static void testIsValidCRLForCert(void)
 {
     BOOL ret;
-    PCCERT_CONTEXT cert1, cert2;
+    PCCERT_CONTEXT cert1, cert2, cert3;
     PCCRL_CONTEXT crl;
     HCERTSTORE store;
 
@@ -568,21 +990,33 @@ static void testIsValidCRLForCert(void)
 
     CertFreeCRLContext(crl);
 
-    /* Yet with a CRL_ISSUING_DIST_POINT in the CRL, I still can't get this
-     * to say the CRL is not valid for either cert.
+    /* With a CRL_ISSUING_DIST_POINT in the CRL, it returns FALSE, since the
+     * cert doesn't have the same extension in it.
      */
     crl = CertCreateCRLContext(X509_ASN_ENCODING, v2CRLWithIssuingDistPoint,
      sizeof(v2CRLWithIssuingDistPoint));
     ok(crl != NULL, "CertCreateCRLContext failed: %08x\n", GetLastError());
 
     ret = pCertIsValidCRLForCertificate(cert1, crl, 0, NULL);
-    ok(ret, "CertIsValidCRLForCertificate failed: %08x\n", GetLastError());
+    ok(!ret && GetLastError() == CRYPT_E_NO_MATCH,
+     "expected CRYPT_E_NO_MATCH, got %08x\n", GetLastError());
     ret = pCertIsValidCRLForCertificate(cert2, crl, 0, NULL);
+    ok(!ret && GetLastError() == CRYPT_E_NO_MATCH,
+     "expected CRYPT_E_NO_MATCH, got %08x\n", GetLastError());
+
+    /* With a CRL_ISSUING_DIST_POINT in the CRL, it matches the cert containing
+     * a CRL_DIST_POINTS_INFO extension.
+     */
+    cert3 = CertCreateCertificateContext(X509_ASN_ENCODING,
+     bigCertWithCRLDistPoints, sizeof(bigCertWithCRLDistPoints));
+    ok(cert3 != NULL, "CertCreateCertificateContext failed: %08x\n",
+     GetLastError());
+    ret = pCertIsValidCRLForCertificate(cert3, crl, 0, NULL);
     ok(ret, "CertIsValidCRLForCertificate failed: %08x\n", GetLastError());
 
     CertFreeCRLContext(crl);
 
-    /* And again, with a real CRL, the CRL is valid for both certs. */
+    /* And again, with a real CRL, the CRL is valid for all three certs. */
     crl = CertCreateCRLContext(X509_ASN_ENCODING, verisignCRL,
      sizeof(verisignCRL));
     ok(crl != NULL, "CertCreateCRLContext failed: %08x\n", GetLastError());
@@ -591,11 +1025,13 @@ static void testIsValidCRLForCert(void)
     ok(ret, "CertIsValidCRLForCertificate failed: %08x\n", GetLastError());
     ret = pCertIsValidCRLForCertificate(cert2, crl, 0, NULL);
     ok(ret, "CertIsValidCRLForCertificate failed: %08x\n", GetLastError());
+    ret = pCertIsValidCRLForCertificate(cert3, crl, 0, NULL);
+    ok(ret, "CertIsValidCRLForCertificate failed: %08x\n", GetLastError());
 
     CertFreeCRLContext(crl);
 
     /* One last test: a CRL in a different store than the cert is also valid
-     * for the cert, so CertIsValidCRLForCertificate must always return TRUE?
+     * for the cert.
      */
     store = CertOpenStore(CERT_STORE_PROV_MEMORY, X509_ASN_ENCODING, 0,
      CERT_STORE_CREATE_NEW_FLAG, NULL);
@@ -609,11 +1045,14 @@ static void testIsValidCRLForCert(void)
     ok(ret, "CertIsValidCRLForCertificate failed: %08x\n", GetLastError());
     ret = pCertIsValidCRLForCertificate(cert2, crl, 0, NULL);
     ok(ret, "CertIsValidCRLForCertificate failed: %08x\n", GetLastError());
+    ret = pCertIsValidCRLForCertificate(cert3, crl, 0, NULL);
+    ok(ret, "CertIsValidCRLForCertificate failed: %08x\n", GetLastError());
 
     CertFreeCRLContext(crl);
 
     CertCloseStore(store, 0);
 
+    CertFreeCertificateContext(cert3);
     CertFreeCertificateContext(cert2);
     CertFreeCertificateContext(cert1);
 }
@@ -710,8 +1149,8 @@ static void testVerifyCRLRevocation(void)
     CertFreeCRLContext(crl);
 
     /* Check against CRL with different issuer and entry for the cert */
-    crl = CertCreateCRLContext(X509_ASN_ENCODING, v1CRLWithIssuerAndEntry,
-     sizeof(v1CRLWithIssuerAndEntry));
+    crl = CertCreateCRLContext(X509_ASN_ENCODING, crlWithDifferentIssuer,
+     sizeof(crlWithDifferentIssuer));
     ok(crl != NULL, "CertCreateCRLContext failed: %08x\n", GetLastError());
     ret = CertVerifyCRLRevocation(X509_ASN_ENCODING, cert->pCertInfo, 1,
      (PCRL_INFO *)&crl->pCrlInfo);
index f2fc727..0f8ae7f 100644 (file)
@@ -1387,8 +1387,9 @@ static void test_decodeNameValue(DWORD dwEncoding)
      embeddedNullNameValue.encoded, embeddedNullNameValue.encodedSize,
      CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_SHARE_OID_STRING_FLAG, NULL,
      &buf, &bufSize);
-    ok(ret, "Value type %d: CryptDecodeObjectEx failed: %08x\n",
-     embeddedNullNameValue.value.dwValueType, GetLastError());
+    /* Some Windows versions disallow name values with embedded NULLs, so
+     * either success or failure is acceptable.
+     */
     if (ret)
     {
         CERT_NAME_VALUE rdnEncodedValue = { CERT_RDN_ENCODED_BLOB,
@@ -3851,23 +3852,14 @@ static const BYTE v2CRLWithExt[] = { 0x30,0x5c,0x02,0x01,0x01,0x30,0x02,0x06,
  0x02,0x01,0x01,0x18,0x0f,0x31,0x36,0x30,0x31,0x30,0x31,0x30,0x31,0x30,0x30,
  0x30,0x30,0x30,0x30,0x5a,0xa0,0x13,0x30,0x11,0x30,0x0f,0x06,0x03,0x55,0x1d,
  0x13,0x04,0x08,0x30,0x06,0x01,0x01,0xff,0x02,0x01,0x01 };
-static const BYTE v2CRLWithIssuingDistPoint[] = { 0x30,0x5c,0x02,0x01,0x01,
- 0x30,0x02,0x06,0x00,0x30,0x15,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,
- 0x13,0x0a,0x4a,0x75,0x61,0x6e,0x20,0x4c,0x61,0x6e,0x67,0x00,0x18,0x0f,0x31,
- 0x36,0x30,0x31,0x30,0x31,0x30,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x5a,0x30,
- 0x16,0x30,0x14,0x02,0x01,0x01,0x18,0x0f,0x31,0x36,0x30,0x31,0x30,0x31,0x30,
- 0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x5a,0xa0,0x13,0x30,0x11,0x30,0x0f,0x06,
- 0x03,0x55,0x1d,0x13,0x04,0x08,0x30,0x06,0x01,0x01,0xff,0x02,0x01,0x01 };
 
 static void test_encodeCRLToBeSigned(DWORD dwEncoding)
 {
     BOOL ret;
     BYTE *buf = NULL;
-    static CHAR oid_issuing_dist_point[] = szOID_ISSUING_DIST_POINT;
     DWORD size = 0;
     CRL_INFO info = { 0 };
     CRL_ENTRY entry = { { 0 }, { 0 }, 0, 0 };
-    CERT_EXTENSION ext;
 
     /* Test with a V1 CRL */
     ret = pCryptEncodeObjectEx(dwEncoding, X509_CERT_CRL_TO_BE_SIGNED, &info,
@@ -3978,21 +3970,6 @@ static void test_encodeCRLToBeSigned(DWORD dwEncoding)
         ok(!memcmp(buf, v2CRLWithExt, size), "Got unexpected value\n");
         LocalFree(buf);
     }
-    /* a v2 CRL with an issuing dist point extension */
-    ext.pszObjId = oid_issuing_dist_point;
-    ext.fCritical = TRUE;
-    ext.Value.cbData = sizeof(urlIDP);
-    ext.Value.pbData = (LPBYTE)urlIDP;
-    entry.rgExtension = &ext;
-    ret = pCryptEncodeObjectEx(dwEncoding, X509_CERT_CRL_TO_BE_SIGNED, &info,
-     CRYPT_ENCODE_ALLOC_FLAG, NULL, &buf, &size);
-    ok(ret, "CryptEncodeObjectEx failed: %08x\n", GetLastError());
-    if (buf)
-    {
-        ok(size == sizeof(v2CRLWithIssuingDistPoint), "Wrong size %d\n", size);
-        ok(!memcmp(buf, v2CRLWithIssuingDistPoint, size), "Unexpected value\n");
-        LocalFree(buf);
-    }
 }
 
 static const BYTE verisignCRL[] = { 0x30, 0x82, 0x01, 0xb1, 0x30, 0x82, 0x01,
@@ -4682,19 +4659,6 @@ static void test_decodeCRLToBeSigned(DWORD dwEncoding)
     {
         CRL_INFO *info = (CRL_INFO *)buf;
 
-        ok(info->cExtension == 1, "Expected 1 extensions, got %d\n",
-         info->cExtension);
-        LocalFree(buf);
-    }
-    /* And again, with an issuing dist point */
-    ret = pCryptDecodeObjectEx(dwEncoding, X509_CERT_CRL_TO_BE_SIGNED,
-     v2CRLWithIssuingDistPoint, sizeof(v2CRLWithIssuingDistPoint),
-     CRYPT_DECODE_ALLOC_FLAG, NULL, &buf, &size);
-    ok(ret, "CryptDecodeObjectEx failed: %08x\n", GetLastError());
-    if (buf)
-    {
-        CRL_INFO *info = (CRL_INFO *)buf;
-
         ok(info->cExtension == 1, "Expected 1 extensions, got %d\n",
          info->cExtension);
         LocalFree(buf);
index c3173c3..91bad8e 100644 (file)
@@ -213,7 +213,7 @@ static void test_cryptunprotectdata(void)
     plain.cbData=0;
 }
 
-static void test_simpleroundtrip(const char *plaintext, int wine_fails)
+static void test_simpleroundtrip(const char *plaintext)
 {
     DATA_BLOB input;
     DATA_BLOB encrypted;
@@ -234,17 +234,9 @@ static void test_simpleroundtrip(const char *plaintext, int wine_fails)
     }
 
     res = pCryptUnprotectData(&encrypted, NULL, NULL, NULL, NULL, 0, &output);
-    if (wine_fails) {
-      todo_wine
-        ok(res != 0, "can't unprotect; last error %u\n", GetLastError());
-    } else {
-      ok(res != 0, "can't unprotect; last error %u\n", GetLastError());
-    }
-
-    if (res) {
-      ok(output.cbData == strlen(plaintext), "output wrong length %d for input '%s', wanted %d\n", output.cbData, plaintext, strlen(plaintext));
-      ok(!memcmp(plaintext, (char *)output.pbData, output.cbData), "output wrong contents for input '%s'\n", plaintext);
-    }
+    ok(res != 0, "can't unprotect; last error %u\n", GetLastError());
+    ok(output.cbData == strlen(plaintext), "output wrong length %d for input '%s', wanted %d\n", output.cbData, plaintext, strlen(plaintext));
+    ok(!memcmp(plaintext, (char *)output.pbData, output.cbData), "output wrong contents for input '%s'\n", plaintext);
 }
 
 START_TEST(protectdata)
@@ -262,8 +254,8 @@ START_TEST(protectdata)
     protected=FALSE;
     test_cryptprotectdata();
     test_cryptunprotectdata();
-    test_simpleroundtrip("", 1);
-    test_simpleroundtrip("hello", 0);
+    test_simpleroundtrip("");
+    test_simpleroundtrip("hello");
 
     /* deinit globals here */
     if (cipher.pbData) LocalFree(cipher.pbData);