crypt32: Support up to date subject and issuer alt names OIDs.

Signed-off-by: Alexandre Julliard <julliard@winehq.org>

crypt32: Support up to date subject and issuer alt names OIDs.
b1b9a754 · Paul Gofman · Alexandre Julliard · 9c40a801 · b1b9a754 · b1b9a754
Commit b1b9a754 authored Apr 14, 2022 by Paul Gofman Committed by Alexandre Julliard May 04, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 230 additions and 145 deletions

str.c dlls/crypt32/str.c +91 -124

str.c dlls/crypt32/tests/str.c +139 -21

No files found.
--- a/dlls/crypt32/str.c
+++ b/dlls/crypt32/str.c
@@ -914,31 +914,32 @@ DWORD WINAPI CertGetNameStringA(PCCERT_CONTEXT cert, DWORD type,
 * The return value is a pointer within *info, so don't free *info before
 * you're done with the return value.
 */
-static PCERT_ALT_NAME_ENTRY cert_find_alt_name_entry(PCCERT_CONTEXT cert,
- LPCSTR altNameOID, DWORD entryType, PCERT_ALT_NAME_INFO *info)
+static PCERT_ALT_NAME_ENTRY cert_find_alt_name_entry(PCCERT_CONTEXT cert, BOOL alt_name_issuer,
+                                                     DWORD entryType, PCERT_ALT_NAME_INFO *info)
 {
-    PCERT_ALT_NAME_ENTRY entry = NULL;
-    PCERT_EXTENSION ext = CertFindExtension(altNameOID,
-     cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension);
-
-    if (ext)
+    static const char *oids[][2] =
    {
-        DWORD bytes = 0;
-
-        if (CryptDecodeObjectEx(cert->dwCertEncodingType, X509_ALTERNATE_NAME,
-         ext->Value.pbData, ext->Value.cbData, CRYPT_DECODE_ALLOC_FLAG, NULL,
-         info, &bytes))
-        {
-            DWORD i;
-
-            for (i = 0; !entry && i < (*info)->cAltEntry; i++)
-                if ((*info)->rgAltEntry[i].dwAltNameChoice == entryType)
-                    entry = &(*info)->rgAltEntry[i];
-        }
-    }
-    else
-        *info = NULL;
-    return entry;
+        { szOID_SUBJECT_ALT_NAME2, szOID_SUBJECT_ALT_NAME },
+        { szOID_ISSUER_ALT_NAME2, szOID_ISSUER_ALT_NAME },
+    };
+    PCERT_EXTENSION ext;
+    DWORD bytes = 0;
+    unsigned int i;
+
+    ext = CertFindExtension(oids[!!alt_name_issuer][0], cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension);
+    if (!ext)
+        ext = CertFindExtension(oids[!!alt_name_issuer][1], cert->pCertInfo->cExtension, cert->pCertInfo->rgExtension);
+    if (!ext) return NULL;
+
+    if (!CryptDecodeObjectEx(cert->dwCertEncodingType, X509_ALTERNATE_NAME, ext->Value.pbData, ext->Value.cbData,
+                             CRYPT_DECODE_ALLOC_FLAG, NULL, info, &bytes))
+        return NULL;
+
+    for (i = 0; i < (*info)->cAltEntry; ++i)
+        if ((*info)->rgAltEntry[i].dwAltNameChoice == entryType)
+            return &(*info)->rgAltEntry[i];
+
+    return NULL;
 }

 static DWORD cert_get_name_from_rdn_attr(DWORD encodingType,
@@ -974,172 +975,138 @@ static DWORD copy_output_str(WCHAR *dst, const WCHAR *src, DWORD dst_size)
    return len + 1;
 }

-DWORD WINAPI CertGetNameStringW(PCCERT_CONTEXT pCertContext, DWORD dwType,
- DWORD dwFlags, void *pvTypePara, LPWSTR pszNameString, DWORD cchNameString)
+DWORD WINAPI CertGetNameStringW(PCCERT_CONTEXT cert, DWORD type, DWORD flags, void *type_para,
+                                LPWSTR name_string, DWORD name_len)
 {
-    DWORD ret = 0;
+    CERT_ALT_NAME_INFO *info = NULL;
+    PCERT_ALT_NAME_ENTRY entry;
+    BOOL alt_name_issuer;
    PCERT_NAME_BLOB name;
-    LPCSTR altNameOID;
+    DWORD ret = 0;

-    TRACE("(%p, %ld, %08lx, %p, %p, %ld)\n", pCertContext, dwType,
-     dwFlags, pvTypePara, pszNameString, cchNameString);
+    TRACE("(%p, %ld, %08lx, %p, %p, %ld)\n", cert, type, flags, type_para, name_string, name_len);

-    if (!pCertContext)
+    if (!cert)
        goto done;

-    if (dwFlags & CERT_NAME_ISSUER_FLAG)
-    {
-        name = &pCertContext->pCertInfo->Issuer;
-        altNameOID = szOID_ISSUER_ALT_NAME;
-    }
-    else
-    {
-        name = &pCertContext->pCertInfo->Subject;
-        altNameOID = szOID_SUBJECT_ALT_NAME;
-    }
+    alt_name_issuer = flags & CERT_NAME_ISSUER_FLAG;
+    name = alt_name_issuer ? &cert->pCertInfo->Issuer : &cert->pCertInfo->Subject;

-    switch (dwType)
+    switch (type)
    {
    case CERT_NAME_EMAIL_TYPE:
    {
-        CERT_ALT_NAME_INFO *info;
-        PCERT_ALT_NAME_ENTRY entry = cert_find_alt_name_entry(pCertContext,
-         altNameOID, CERT_ALT_NAME_RFC822_NAME, &info);
-
-        if (entry) ret = copy_output_str(pszNameString, entry->u.pwszRfc822Name, cchNameString);
-        if (info)
-            LocalFree(info);
-        if (!ret)
+        entry = cert_find_alt_name_entry(cert, alt_name_issuer, CERT_ALT_NAME_RFC822_NAME, &info);
+
+        if (entry)
        {
-            ret = cert_get_name_from_rdn_attr(pCertContext->dwCertEncodingType,
-             name, szOID_RSA_emailAddr, pszNameString, cchNameString);
-         }
+            ret = copy_output_str(name_string, entry->u.pwszRfc822Name, name_len);
+            break;
+        }
+        ret = cert_get_name_from_rdn_attr(cert->dwCertEncodingType, name, szOID_RSA_emailAddr,
+                                          name_string, name_len);
        break;
    }
    case CERT_NAME_RDN_TYPE:
    {
-        DWORD type = pvTypePara ? *(DWORD *)pvTypePara : 0;
+        DWORD param = type_para ? *(DWORD *)type_para : 0;

        if (name->cbData)
-            ret = CertNameToStrW(pCertContext->dwCertEncodingType, name,
-             type, pszNameString, cchNameString);
+        {
+            ret = CertNameToStrW(cert->dwCertEncodingType, name, param, name_string, name_len);
+        }
        else
        {
-            CERT_ALT_NAME_INFO *info;
-            PCERT_ALT_NAME_ENTRY entry = cert_find_alt_name_entry(pCertContext,
-             altNameOID, CERT_ALT_NAME_DIRECTORY_NAME, &info);
+            entry = cert_find_alt_name_entry(cert, alt_name_issuer, CERT_ALT_NAME_DIRECTORY_NAME, &info);

            if (entry)
-                ret = CertNameToStrW(pCertContext->dwCertEncodingType,
-                 &entry->u.DirectoryName, type, pszNameString, cchNameString);
-            if (info)
-                LocalFree(info);
+                ret = CertNameToStrW(cert->dwCertEncodingType, &entry->u.DirectoryName,
+                                     param, name_string, name_len);
        }
        break;
    }
    case CERT_NAME_ATTR_TYPE:
-        ret = cert_get_name_from_rdn_attr(pCertContext->dwCertEncodingType,
-         name, pvTypePara, pszNameString, cchNameString);
-        if (!ret)
-        {
-            CERT_ALT_NAME_INFO *altInfo;
-            PCERT_ALT_NAME_ENTRY entry = cert_find_alt_name_entry(pCertContext,
-             altNameOID, CERT_ALT_NAME_DIRECTORY_NAME, &altInfo);
+        ret = cert_get_name_from_rdn_attr(cert->dwCertEncodingType, name, type_para,
+                                          name_string, name_len);
+        if (ret) break;

-            if (entry)
-                ret = cert_name_to_str_with_indent(X509_ASN_ENCODING, 0,
-                 &entry->u.DirectoryName, 0, pszNameString, cchNameString);
-            if (altInfo)
-                LocalFree(altInfo);
-        }
+        entry = cert_find_alt_name_entry(cert, alt_name_issuer, CERT_ALT_NAME_DIRECTORY_NAME, &info);
+
+        if (entry)
+            ret = cert_name_to_str_with_indent(X509_ASN_ENCODING, 0, &entry->u.DirectoryName,
+                                               0, name_string, name_len);
        break;
    case CERT_NAME_SIMPLE_DISPLAY_TYPE:
    {
-        static const LPCSTR simpleAttributeOIDs[] = { szOID_COMMON_NAME,
-         szOID_ORGANIZATIONAL_UNIT_NAME, szOID_ORGANIZATION_NAME,
-         szOID_RSA_emailAddr };
+        static const LPCSTR simpleAttributeOIDs[] =
+        {
+            szOID_COMMON_NAME, szOID_ORGANIZATIONAL_UNIT_NAME, szOID_ORGANIZATION_NAME, szOID_RSA_emailAddr
+        };
        CERT_NAME_INFO *nameInfo = NULL;
        DWORD bytes = 0, i;

-        if (CryptDecodeObjectEx(pCertContext->dwCertEncodingType, X509_NAME,
-         name->pbData, name->cbData, CRYPT_DECODE_ALLOC_FLAG, NULL, &nameInfo,
-         &bytes))
+        if (CryptDecodeObjectEx(cert->dwCertEncodingType, X509_NAME, name->pbData, name->cbData,
+                                CRYPT_DECODE_ALLOC_FLAG, NULL, &nameInfo, &bytes))
        {
            PCERT_RDN_ATTR nameAttr = NULL;

            for (i = 0; !nameAttr && i < ARRAY_SIZE(simpleAttributeOIDs); i++)
                nameAttr = CertFindRDNAttr(simpleAttributeOIDs[i], nameInfo);
            if (nameAttr)
-                ret = rdn_value_to_strW(nameAttr->dwValueType,
-                 &nameAttr->Value, pszNameString, cchNameString, TRUE);
+                ret = rdn_value_to_strW(nameAttr->dwValueType, &nameAttr->Value, name_string, name_len, TRUE);
            LocalFree(nameInfo);
        }
-        if (!ret)
-        {
-            CERT_ALT_NAME_INFO *altInfo;
-            PCERT_ALT_NAME_ENTRY entry = cert_find_alt_name_entry(pCertContext,
-             altNameOID, CERT_ALT_NAME_RFC822_NAME, &altInfo);
-
-            if (altInfo)
-            {
-                if (!entry && altInfo->cAltEntry)
-                    entry = &altInfo->rgAltEntry[0];
-                if (entry) ret = copy_output_str(pszNameString, entry->u.pwszRfc822Name, cchNameString);
-                LocalFree(altInfo);
-            }
-        }
+        if (ret) break;
+        entry = cert_find_alt_name_entry(cert, alt_name_issuer, CERT_ALT_NAME_RFC822_NAME, &info);
+        if (!info) break;
+        if (!entry && info->cAltEntry)
+            entry = &info->rgAltEntry[0];
+        if (entry) ret = copy_output_str(name_string, entry->u.pwszRfc822Name, name_len);
        break;
    }
    case CERT_NAME_FRIENDLY_DISPLAY_TYPE:
    {
-        DWORD cch = cchNameString;
+        DWORD len = name_len;

-        if (CertGetCertificateContextProperty(pCertContext,
-         CERT_FRIENDLY_NAME_PROP_ID, pszNameString, &cch))
-            ret = cch;
+        if (CertGetCertificateContextProperty(cert, CERT_FRIENDLY_NAME_PROP_ID, name_string, &len))
+            ret = len;
        else
-            ret = CertGetNameStringW(pCertContext,
-             CERT_NAME_SIMPLE_DISPLAY_TYPE, dwFlags, pvTypePara, pszNameString,
-             cchNameString);
+            ret = CertGetNameStringW(cert, CERT_NAME_SIMPLE_DISPLAY_TYPE, flags,
+                                     type_para, name_string, name_len);
        break;
    }
    case CERT_NAME_DNS_TYPE:
    {
-        CERT_ALT_NAME_INFO *info;
-        PCERT_ALT_NAME_ENTRY entry = cert_find_alt_name_entry(pCertContext,
-         altNameOID, CERT_ALT_NAME_DNS_NAME, &info);
-
-        if (entry) ret = copy_output_str(pszNameString, entry->u.pwszDNSName, cchNameString);
+        entry = cert_find_alt_name_entry(cert, alt_name_issuer, CERT_ALT_NAME_DNS_NAME, &info);

-        if (info)
-            LocalFree(info);
-        if (!ret)
-            ret = cert_get_name_from_rdn_attr(pCertContext->dwCertEncodingType,
-             name, szOID_COMMON_NAME, pszNameString, cchNameString);
+        if (entry)
+        {
+            ret = copy_output_str(name_string, entry->u.pwszDNSName, name_len);
+            break;
+        }
+        ret = cert_get_name_from_rdn_attr(cert->dwCertEncodingType, name, szOID_COMMON_NAME,
+                                          name_string, name_len);
        break;
    }
    case CERT_NAME_URL_TYPE:
    {
-        CERT_ALT_NAME_INFO *info;
-        PCERT_ALT_NAME_ENTRY entry = cert_find_alt_name_entry(pCertContext,
-         altNameOID, CERT_ALT_NAME_URL, &info);
-
-        if (entry) ret = copy_output_str(pszNameString, entry->u.pwszURL, cchNameString);
-
-        if (info)
-            LocalFree(info);
+        if ((entry = cert_find_alt_name_entry(cert, alt_name_issuer, CERT_ALT_NAME_URL, &info)))
+            ret = copy_output_str(name_string, entry->u.pwszURL, name_len);
        break;
    }
    default:
-        FIXME("unimplemented for type %ld\n", dwType);
+        FIXME("unimplemented for type %lu.\n", type);
        ret = 0;
        break;
    }
 done:
+    if (info)
+        LocalFree(info);
+
    if (!ret)
    {
        ret = 1;
-        if (pszNameString && cchNameString) pszNameString[0] = 0;
+        if (name_string && name_len) name_string[0] = 0;
    }
    return ret;
 }
--- a/dlls/crypt32/tests/str.c
+++ b/dlls/crypt32/tests/str.c
@@ -113,6 +113,103 @@ static const BYTE cert[] =
 0x65,0xd3,0xce,0xae,0x26,0x19,0x3,0x2e,0x4f,0x78,0xa5,0xa,0x97,0x7e,0x4f,0xc4,
 0x91,0x8a,0xf8,0x5,0xef,0x5b,0x3b,0x49,0xbf,0x5f,0x2b};

+/*
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            5d:79:35:fd:d3:8f:6b:e2:28:3e:94:f4:14:bf:d4:b5:c2:3a:ac:38
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C = US, ST = Minnesota, L = Minneapolis, O = CodeWeavers, CN = server_cn.org, emailAddress = test@codeweavers.com
+        Validity
+            Not Before: Apr 14 18:56:22 2022 GMT
+            Not After : Apr 11 18:56:22 2032 GMT
+        Subject: C = US, ST = Minnesota, L = Minneapolis, O = CodeWeavers, CN = server_cn.org, emailAddress = test@codeweavers.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (1024 bit)
+                Modulus:
+...
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name:
+                DNS:ex1.org, DNS:*.ex2.org
+            X509v3 Issuer Alternative Name:
+                DNS:ex3.org, DNS:*.ex4.org
+    Signature Algorithm: md5WithRSAEncryption
+...
+*/
+static BYTE cert_v3[] = {
+    0x30, 0x82, 0x02, 0xdf, 0x30, 0x82, 0x02, 0x48, 0xa0, 0x03, 0x02, 0x01,
+    0x02, 0x02, 0x14, 0x5d, 0x79, 0x35, 0xfd, 0xd3, 0x8f, 0x6b, 0xe2, 0x28,
+    0x3e, 0x94, 0xf4, 0x14, 0xbf, 0xd4, 0xb5, 0xc2, 0x3a, 0xac, 0x38, 0x30,
+    0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x04,
+    0x05, 0x00, 0x30, 0x81, 0x8a, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
+    0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03,
+    0x55, 0x04, 0x08, 0x0c, 0x09, 0x4d, 0x69, 0x6e, 0x6e, 0x65, 0x73, 0x6f,
+    0x74, 0x61, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c,
+    0x0b, 0x4d, 0x69, 0x6e, 0x6e, 0x65, 0x61, 0x70, 0x6f, 0x6c, 0x69, 0x73,
+    0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b, 0x43,
+    0x6f, 0x64, 0x65, 0x57, 0x65, 0x61, 0x76, 0x65, 0x72, 0x73, 0x31, 0x16,
+    0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0d, 0x73, 0x65, 0x72,
+    0x76, 0x65, 0x72, 0x5f, 0x63, 0x6e, 0x2e, 0x6f, 0x72, 0x67, 0x31, 0x23,
+    0x30, 0x21, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09,
+    0x01, 0x16, 0x14, 0x74, 0x65, 0x73, 0x74, 0x40, 0x63, 0x6f, 0x64, 0x65,
+    0x77, 0x65, 0x61, 0x76, 0x65, 0x72, 0x73, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
+    0x1e, 0x17, 0x0d, 0x32, 0x32, 0x30, 0x34, 0x31, 0x34, 0x31, 0x38, 0x35,
+    0x36, 0x32, 0x32, 0x5a, 0x17, 0x0d, 0x33, 0x32, 0x30, 0x34, 0x31, 0x31,
+    0x31, 0x38, 0x35, 0x36, 0x32, 0x32, 0x5a, 0x30, 0x81, 0x8a, 0x31, 0x0b,
+    0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
+    0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x09, 0x4d, 0x69,
+    0x6e, 0x6e, 0x65, 0x73, 0x6f, 0x74, 0x61, 0x31, 0x14, 0x30, 0x12, 0x06,
+    0x03, 0x55, 0x04, 0x07, 0x0c, 0x0b, 0x4d, 0x69, 0x6e, 0x6e, 0x65, 0x61,
+    0x70, 0x6f, 0x6c, 0x69, 0x73, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55,
+    0x04, 0x0a, 0x0c, 0x0b, 0x43, 0x6f, 0x64, 0x65, 0x57, 0x65, 0x61, 0x76,
+    0x65, 0x72, 0x73, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x03,
+    0x0c, 0x0d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x63, 0x6e, 0x2e,
+    0x6f, 0x72, 0x67, 0x31, 0x23, 0x30, 0x21, 0x06, 0x09, 0x2a, 0x86, 0x48,
+    0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x14, 0x74, 0x65, 0x73, 0x74,
+    0x40, 0x63, 0x6f, 0x64, 0x65, 0x77, 0x65, 0x61, 0x76, 0x65, 0x72, 0x73,
+    0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x81, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a,
+    0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81,
+    0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81, 0x81, 0x00, 0xcd, 0x7c, 0x05,
+    0xba, 0xad, 0xd0, 0xb0, 0x43, 0xcc, 0x47, 0x7d, 0x87, 0xaa, 0xb5, 0x89,
+    0x9f, 0x43, 0x94, 0xa0, 0x84, 0xc0, 0xc0, 0x5e, 0x05, 0x6d, 0x2f, 0x05,
+    0x21, 0x6b, 0x20, 0x39, 0x88, 0x06, 0x4e, 0xce, 0x76, 0xa7, 0x24, 0x77,
+    0x13, 0x71, 0x9b, 0x2a, 0x53, 0x04, 0x4f, 0x0f, 0xfc, 0x3f, 0x4f, 0xb1,
+    0x4e, 0xdc, 0xed, 0x96, 0xd4, 0x55, 0xbd, 0xcf, 0x25, 0xa6, 0x7c, 0xe3,
+    0x35, 0xbf, 0xeb, 0x30, 0xec, 0xef, 0x7f, 0x8e, 0xa1, 0xc6, 0xd3, 0xb2,
+    0x03, 0x62, 0x0a, 0x92, 0x87, 0x17, 0x52, 0x2d, 0x45, 0x2a, 0xdc, 0xdb,
+    0x87, 0xa5, 0x32, 0x4a, 0x78, 0x28, 0x4a, 0x51, 0xff, 0xdb, 0xd5, 0x20,
+    0x47, 0x7e, 0xc5, 0xbe, 0x1d, 0x01, 0x55, 0x13, 0x9f, 0xfb, 0x8e, 0x39,
+    0xd9, 0x1b, 0xe0, 0x34, 0x93, 0x43, 0x9c, 0x02, 0xa3, 0x0f, 0xb5, 0xdc,
+    0x9d, 0x86, 0x45, 0xc5, 0x4d, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x40,
+    0x30, 0x3e, 0x30, 0x1d, 0x06, 0x03,
+    0x55, 0x1d, 0x11, /* Subject Alternative Name OID */
+    0x04, 0x16, 0x30, 0x14, 0x82, 0x07, 0x65, 0x78, 0x31, 0x2e, 0x6f, 0x72,
+    0x67, 0x82, 0x09, 0x2a, 0x2e, 0x65, 0x78, 0x32, 0x2e, 0x6f, 0x72, 0x67,
+    0x30, 0x1d, 0x06, 0x03,
+    0x55, 0x1d, 0x12, /* Issuer Alternative Name OID */
+    0x04, 0x16, 0x30, 0x14, 0x82, 0x07, 0x65, 0x78, 0x33, 0x2e, 0x6f, 0x72,
+    0x67, 0x82, 0x09, 0x2a, 0x2e, 0x65, 0x78, 0x34, 0x2e, 0x6f, 0x72, 0x67,
+    0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+    0x04, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0xcc, 0xa3, 0x75, 0x67, 0x61,
+    0x63, 0x1d, 0x99, 0x16, 0xc6, 0x93, 0x35, 0xa4, 0x31, 0xb6, 0x05, 0x05,
+    0x77, 0x12, 0x15, 0x16, 0x78, 0xb3, 0xba, 0x6e, 0xde, 0xfc, 0x73, 0x7c,
+    0x5c, 0xdd, 0xdf, 0x92, 0xde, 0xa0, 0x86, 0xff, 0x77, 0x60, 0x99, 0x8f,
+    0x4a, 0x40, 0xa8, 0x6a, 0xdb, 0x6f, 0x30, 0xe5, 0xce, 0x82, 0x2f, 0xf7,
+    0x09, 0x17, 0xb2, 0xd3, 0x3a, 0x29, 0x9a, 0xd0, 0x73, 0x9c, 0x44, 0xa2,
+    0x19, 0xf3, 0x1d, 0x16, 0x1a, 0x45, 0x2c, 0x4b, 0x94, 0xf1, 0xb8, 0xb6,
+    0xc9, 0x82, 0x6c, 0x1f, 0xae, 0xbc, 0xd1, 0xbe, 0x78, 0xc9, 0x23, 0xf5,
+    0x51, 0x6c, 0x90, 0xbf, 0xa3, 0x5c, 0xa1, 0x3a, 0xd8, 0xe3, 0xcf, 0x82,
+    0x31, 0x78, 0x2b, 0xda, 0x99, 0xff, 0x23, 0x5b, 0xea, 0x59, 0xe0, 0x6d,
+    0xd1, 0x30, 0xfd, 0x96, 0x6a, 0x4d, 0x36, 0x72, 0x96, 0xd7, 0x4f, 0x01,
+    0xa9, 0x4d, 0x8f
+};
+
+#define CERT_V3_SAN_OID_OFFSET 534
+#define CERT_V3_IAN_OID_OFFSET 565
+
 static char issuerStr[] =
 "US, Minnesota, Minneapolis, CodeWeavers, Wine Development, localhost, aric@codeweavers.com";
 static char issuerStrSemicolon[] =
@@ -746,9 +843,9 @@ static void test_CertStrToNameW(void)
    }
 }

-#define test_CertGetNameString_value(a, b, c, d) test_CertGetNameString_value_(__LINE__, a, b, c, d)
-static void test_CertGetNameString_value_(unsigned int line, PCCERT_CONTEXT context, DWORD type, void *type_para,
-        const char *expected)
+#define test_CertGetNameString_value(a, b, c, d, e) test_CertGetNameString_value_(__LINE__, a, b, c, d, e)
+static void test_CertGetNameString_value_(unsigned int line, PCCERT_CONTEXT context, DWORD type, DWORD flags,
+        void *type_para, const char *expected)
 {
    WCHAR expectedW[512];
    DWORD len, retlen;
@@ -760,31 +857,32 @@ static void test_CertGetNameString_value_(unsigned int line, PCCERT_CONTEXT cont
        expectedW[i] = expected[i];
    expectedW[i] = 0;

-    len = CertGetNameStringA(context, type, 0, type_para, NULL, 0);
+    len = CertGetNameStringA(context, type, flags, type_para, NULL, 0);
    ok(len == strlen(expected) + 1, "line %u: unexpected length %ld.\n", line, len);
-    retlen = CertGetNameStringA(context, type, 0, type_para, str, len);
+    retlen = CertGetNameStringA(context, type, flags, type_para, str, len);
    ok(retlen == len, "line %u: unexpected len %lu, expected %lu.\n", line, retlen, len);
    ok(!strcmp(str, expected), "line %u: unexpected value %s.\n", line, str);
    str[0] = str[1] = 0xcc;
-    retlen = CertGetNameStringA(context, type, 0, type_para, str, len - 1);
+    retlen = CertGetNameStringA(context, type, flags, type_para, str, len - 1);
    ok(retlen == 1, "line %u: Unexpected len %lu, expected 1.\n", line, retlen);
+    if (len == 1) return;
    ok(!str[0], "line %u: unexpected str[0] %#x.\n", line, str[0]);
    ok(str[1] == expected[1], "line %u: unexpected str[1] %#x.\n", line, str[1]);

-    retlen = CertGetNameStringA(context, type, 0, type_para, str, 0);
+    retlen = CertGetNameStringA(context, type, flags, type_para, str, 0);
    ok(retlen == len, "line %u: Unexpected len %lu, expected 1.\n", line, retlen);

-    retlen = CertGetNameStringW(context, type, 0, type_para, strW, len);
+    retlen = CertGetNameStringW(context, type, flags, type_para, strW, len);
    ok(retlen == len, "line %u: unexpected len %lu, expected 1.\n", line, retlen);
    ok(!wcscmp(strW, expectedW), "line %u: unexpected value %s.\n", line, debugstr_w(strW));
    strW[0] = strW[1] = 0xcccc;
-    retlen = CertGetNameStringW(context, type, 0, type_para, strW, len - 1);
+    retlen = CertGetNameStringW(context, type, flags, type_para, strW, len - 1);
    ok(retlen == len - 1, "line %u: unexpected len %lu, expected %lu.\n", line, retlen, len - 1);
    ok(!wcsncmp(strW, expectedW, retlen - 1), "line %u: string data mismatch.\n", line);
    ok(!strW[retlen - 1], "line %u: string is not zero terminated.\n", line);
-    retlen = CertGetNameStringA(context, type, 0, type_para, NULL, len - 1);
+    retlen = CertGetNameStringA(context, type, flags, type_para, NULL, len - 1);
    ok(retlen == len, "line %u: unexpected len %lu, expected %lu\n", line, retlen, len);
-    retlen = CertGetNameStringW(context, type, 0, type_para, NULL, len - 1);
+    retlen = CertGetNameStringW(context, type, flags, type_para, NULL, len - 1);
    ok(retlen == len, "line %u: unexpected len %lu, expected %lu\n", line, retlen, len);
 }

@@ -814,19 +912,39 @@ static void test_CertGetNameString(void)
    len = CertGetNameStringW(context, CERT_NAME_URL_TYPE, 0, NULL, NULL, 0);
    ok(len == 1, "expected 1, got %lu\n", len);

-    test_CertGetNameString_value(context, CERT_NAME_EMAIL_TYPE, NULL, aric);
-    test_CertGetNameString_value(context, CERT_NAME_RDN_TYPE, NULL, issuerStr);
+    test_CertGetNameString_value(context, CERT_NAME_EMAIL_TYPE, 0, NULL, aric);
+    test_CertGetNameString_value(context, CERT_NAME_RDN_TYPE, 0, NULL, issuerStr);
    type = 0;
-    test_CertGetNameString_value(context, CERT_NAME_RDN_TYPE, &type, issuerStr);
+    test_CertGetNameString_value(context, CERT_NAME_RDN_TYPE, 0, &type, issuerStr);
    type = CERT_OID_NAME_STR;
-    test_CertGetNameString_value(context, CERT_NAME_RDN_TYPE, &type, subjectStr);
-    test_CertGetNameString_value(context, CERT_NAME_ATTR_TYPE, NULL, aric);
-    test_CertGetNameString_value(context, CERT_NAME_ATTR_TYPE, (void *)szOID_RSA_emailAddr, aric);
-    test_CertGetNameString_value(context, CERT_NAME_ATTR_TYPE, (void *)szOID_COMMON_NAME, localhost);
-    test_CertGetNameString_value(context, CERT_NAME_SIMPLE_DISPLAY_TYPE, NULL, localhost);
-    test_CertGetNameString_value(context, CERT_NAME_FRIENDLY_DISPLAY_TYPE, NULL, localhost);
-    test_CertGetNameString_value(context, CERT_NAME_DNS_TYPE, NULL, localhost);
+    test_CertGetNameString_value(context, CERT_NAME_RDN_TYPE, 0, &type, subjectStr);
+    test_CertGetNameString_value(context, CERT_NAME_ATTR_TYPE, 0, NULL, aric);
+    test_CertGetNameString_value(context, CERT_NAME_ATTR_TYPE, 0, (void *)szOID_RSA_emailAddr, aric);
+    test_CertGetNameString_value(context, CERT_NAME_ATTR_TYPE, 0, (void *)szOID_COMMON_NAME, localhost);
+    test_CertGetNameString_value(context, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, localhost);
+    test_CertGetNameString_value(context, CERT_NAME_FRIENDLY_DISPLAY_TYPE, 0, NULL, localhost);
+    test_CertGetNameString_value(context, CERT_NAME_DNS_TYPE, 0, NULL, localhost);
+
+    CertFreeCertificateContext(context);

+    ok(cert_v3[CERT_V3_SAN_OID_OFFSET] == 0x55, "Incorrect CERT_V3_SAN_OID_OFFSET.\n");
+    ok(cert_v3[CERT_V3_IAN_OID_OFFSET] == 0x55, "Incorrect CERT_V3_IAN_OID_OFFSET.\n");
+    cert_v3[CERT_V3_SAN_OID_OFFSET + 2] = 7; /* legacy OID_SUBJECT_ALT_NAME */
+    cert_v3[CERT_V3_IAN_OID_OFFSET + 2] = 8; /* legacy OID_ISSUER_ALT_NAME */
+    context = CertCreateCertificateContext(X509_ASN_ENCODING, cert_v3, sizeof(cert_v3));
+    ok(!!context, "CertCreateCertificateContext failed, err %lu\n", GetLastError());
+    test_CertGetNameString_value(context, CERT_NAME_DNS_TYPE, 0, NULL, "ex1.org");
+    test_CertGetNameString_value(context, CERT_NAME_DNS_TYPE, CERT_NAME_ISSUER_FLAG, NULL, "ex3.org");
+    CertFreeCertificateContext(context);
+
+    cert_v3[CERT_V3_SAN_OID_OFFSET + 2] = 17; /* OID_SUBJECT_ALT_NAME2 */
+    cert_v3[CERT_V3_IAN_OID_OFFSET + 2] = 18; /* OID_ISSUER_ALT_NAME2 */
+    context = CertCreateCertificateContext(X509_ASN_ENCODING, cert_v3, sizeof(cert_v3));
+    ok(!!context, "CertCreateCertificateContext failed, err %lu\n", GetLastError());
+    test_CertGetNameString_value(context, CERT_NAME_DNS_TYPE, 0, NULL, "ex1.org");
+    test_CertGetNameString_value(context, CERT_NAME_DNS_TYPE, CERT_NAME_ISSUER_FLAG, NULL, "ex3.org");
+    test_CertGetNameString_value(context, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, "server_cn.org");
+    test_CertGetNameString_value(context, CERT_NAME_ATTR_TYPE, 0, (void *)szOID_SUR_NAME, "");
    CertFreeCertificateContext(context);
 }