CAPI engine working with machine keystore: missing flag in CryptAcquireContext in capi_get_key()

Tue, 24 Jul 2012 04:40:38 -0700 

Hi,

I am working with the CAPI engine and the machine keystore where I do
have keys and certificates.
To find my key, the engine will execute `capi_open_store()` which works
just fine and pays respect to the store_flags set.
I set these flags with `ENGINE_ctrl(e, ENGINE_CMD_BASE + 13, 1, NULL,
NULL)` which works just fine.
It does find the container and everything but upon calling
`capi_get_key()` it will run until `CryptAcquireContextA(&key->hprov,
contname, provname, ptype, 0)`.

The problem here lies within the last parameter as it is set to `0`.
According to
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379886%28v=vs.85%29.aspx
the last parameter are `dwFlags [in]` where CRYPT_MACHINE_KEYSET is one
possible flag.
This flag is required if you want to access a container that uses the
machine keyset, which for example the tool `certreq` does if ordered so.
Accessing a key created in this way is not possible with the CAPI engine
as of now.

So my suggestion is either to enable setting more complex flags or
making a simple check (see attached diff for simple solution).


This will now check whether the machine store was chosen and will set
the dwFlag accordingly. I am not that familiar with the CryptoAPI to say
this would be the only modification need.
Maybe there even is a reason why it is not implemented yet and I am
overlooking it.


My problem occured when executing certreq while specifying the
`MachineKeySet=TRUE` option.

Anyone involved with the developement might be able to react to this.

Regards,
Florian

diff --git a/master:engines/e_capi.c b/capi_machinekeyset:engines/e_capi.c
index bfedde0..c1085b5 100644
--- a/master:engines/e_capi.c
+++ b/capi_machinekeyset:engines/e_capi.c
@@ -1432,10 +1432,13 @@ static PCCERT_CONTEXT capi_find_cert(CAPI_CTX *ctx, 
const char *id, HCERTSTORE h
 static CAPI_KEY *capi_get_key(CAPI_CTX *ctx, const char *contname, char 
*provname, DWORD ptype, DWORD keyspec)
        {
        CAPI_KEY *key;
+    DWORD dwFlags = 0; 
        key = OPENSSL_malloc(sizeof(CAPI_KEY));
        CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n", 
                                                contname, provname, ptype);
-       if (!CryptAcquireContextA(&key->hprov, contname, provname, ptype, 0))
+    if(ctx->store_flags & CERT_SYSTEM_STORE_LOCAL_MACHINE)
+        dwFlags = CRYPT_MACHINE_KEYSET;
+    if (!CryptAcquireContextA(&key->hprov, contname, provname, ptype, 
dwFlags)) 
                {
                CAPIerr(CAPI_F_CAPI_GET_KEY, CAPI_R_CRYPTACQUIRECONTEXT_ERROR);
                capi_addlasterror();

Reply via email to