Miklos Vajna
2017-12-28 22:14:54 UTC
Hi,
I'm experimenting with running the equivalent of 'make check' for an
MSVC build with the mscrypto backend, as part of this I ran into this
issue. E.g.
make check-crypto-mscrypto XMLSEC_TEST_NAME="enveloping-sha256-rsa-sha256-relationship"
fails for the signing part with this:
func=xmlSecMSCryptoKeyDataAdoptCert:file=..\src\mscrypto\certkeys.c:line=449:obj=unknown:subj=CryptAcquireCertificatePrivateKey:error=4:crypto library function failed:MSCrypto error: -2146885621: 0x8009200b: Cannot find the certificate and private key for decryption.
func=xmlSecMSCryptoCertAdopt:file=..\src\mscrypto\certkeys.c:line=912:obj=unknown:subj=xmlSecMSCryptoPCCDataAdoptPCC:error=1:xmlsec library function failed:
func=xmlSecMSCryptoAppPkcs12LoadMemory:file=..\src\mscrypto\app.c:line=545:obj=x509:subj=xmlSecMSCryptoCertAdopt:error=1:xmlsec library function failed:
func=xmlSecMSCryptoAppPkcs12Load:file=..\src\mscrypto\app.c:line=451:obj=unknown:subj=xmlSecMSCryptoAppPkcs12LoadMemory:error=1:xmlsec library function failed:
func=xmlSecMSCryptoAppKeyLoad:file=..\src\mscrypto\app.c:line=146:obj=unknown:subj=xmlSecMSCryptoAppPkcs12Load:error=1:xmlsec library function failed:
I've bisected the .p12 loading failure and that lead me to
c098aed450a8ae272efad1fdeaa2450b67a2f46f. So it seems the problem is
that either the private key is persisted, or by the time
CryptAcquireCertificatePrivateKey() would read the private key, it would
read it from the .p12 file again, but at that point it no longer
remembers the provided password.
Now my question: my understanding is that .p12 files are always
password-protected, so this sounds like currently loading .p12 files
with the mscrypto backend in the app just doesn't work. If so, I wonder
if there is a way to have some 3rd version that allows persistence, but
only till the app runs, not after it (so there would be no leftover
files, nor the failure with CryptAcquireCertificatePrivateKey().
I've tried two things:
- CryptAcquireContext() has a CRYPT_DELETEKEYSET flag which may be
useful here, but I don't know how to get the container/provider of the
HCERTSTORE to use it for the private key loaded from the .p12 file (if
this goal has any meaning :-) )
- CertDeleteCertificateFromStore() sounded promising, I tried calling
that at the end of while() loop in
xmlSecMSCryptoAppPkcs12LoadMemory(), but that did not eliminate the
problematic temp files in the mentioned folder in the
https://bugzilla.gnome.org/show_bug.cgi?id=633924 bugreport.
Considering all the above: I wonder if there is a way to handle this
situation (loading private key/cert from .p12 files for test purposes
without creating temp files) properly, or should we just say that the
current situation is broken enough that just going back to not using
PKCS12_NO_PERSIST_KEY is already an improvement?
Thanks,
Miklos
I'm experimenting with running the equivalent of 'make check' for an
MSVC build with the mscrypto backend, as part of this I ran into this
issue. E.g.
make check-crypto-mscrypto XMLSEC_TEST_NAME="enveloping-sha256-rsa-sha256-relationship"
fails for the signing part with this:
func=xmlSecMSCryptoKeyDataAdoptCert:file=..\src\mscrypto\certkeys.c:line=449:obj=unknown:subj=CryptAcquireCertificatePrivateKey:error=4:crypto library function failed:MSCrypto error: -2146885621: 0x8009200b: Cannot find the certificate and private key for decryption.
func=xmlSecMSCryptoCertAdopt:file=..\src\mscrypto\certkeys.c:line=912:obj=unknown:subj=xmlSecMSCryptoPCCDataAdoptPCC:error=1:xmlsec library function failed:
func=xmlSecMSCryptoAppPkcs12LoadMemory:file=..\src\mscrypto\app.c:line=545:obj=x509:subj=xmlSecMSCryptoCertAdopt:error=1:xmlsec library function failed:
func=xmlSecMSCryptoAppPkcs12Load:file=..\src\mscrypto\app.c:line=451:obj=unknown:subj=xmlSecMSCryptoAppPkcs12LoadMemory:error=1:xmlsec library function failed:
func=xmlSecMSCryptoAppKeyLoad:file=..\src\mscrypto\app.c:line=146:obj=unknown:subj=xmlSecMSCryptoAppPkcs12Load:error=1:xmlsec library function failed:
I've bisected the .p12 loading failure and that lead me to
c098aed450a8ae272efad1fdeaa2450b67a2f46f. So it seems the problem is
that either the private key is persisted, or by the time
CryptAcquireCertificatePrivateKey() would read the private key, it would
read it from the .p12 file again, but at that point it no longer
remembers the provided password.
Now my question: my understanding is that .p12 files are always
password-protected, so this sounds like currently loading .p12 files
with the mscrypto backend in the app just doesn't work. If so, I wonder
if there is a way to have some 3rd version that allows persistence, but
only till the app runs, not after it (so there would be no leftover
files, nor the failure with CryptAcquireCertificatePrivateKey().
I've tried two things:
- CryptAcquireContext() has a CRYPT_DELETEKEYSET flag which may be
useful here, but I don't know how to get the container/provider of the
HCERTSTORE to use it for the private key loaded from the .p12 file (if
this goal has any meaning :-) )
- CertDeleteCertificateFromStore() sounded promising, I tried calling
that at the end of while() loop in
xmlSecMSCryptoAppPkcs12LoadMemory(), but that did not eliminate the
problematic temp files in the mentioned folder in the
https://bugzilla.gnome.org/show_bug.cgi?id=633924 bugreport.
Considering all the above: I wonder if there is a way to handle this
situation (loading private key/cert from .p12 files for test purposes
without creating temp files) properly, or should we just say that the
current situation is broken enough that just going back to not using
PKCS12_NO_PERSIST_KEY is already an improvement?
Thanks,
Miklos