Re: [WiX-users] Certificate install to local machine fails withcode 26352
Wow, nice analysis. Is there a bug open on this issue right now? If not, can you open one and I'll try to get this change in Thursday night for Friday's build. -Original Message- From: Chris Bardon [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2008 07:47 To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machine fails withcode 26352 OK, I think I understand what's going on here. The reason a certificate looked like it was duplicated was that the same cert existed in multiple physical stores, which appeared as the same logical store in the mmc. If the certificate the installer was trying to add already existed in the Group Policy store, then the install would fail, since the user would not have permission to delete from that store (although they can through the MMC). If the cert exists in any other combination of stores, it seems to work. Here's the steps to reproduce -Generate a CA cert -Open mmc, and add the certificates snapin for the local computer -Right click the Certificates (Local Computer) node, and select View->options -Leave the view mode as Logical stores, and check off the Show Physical certificate stores option -Click OK -Expand the Group policy node, right click on the Certificates folder, and select All Tasks->Import -Import your certificate into the store -Create an installer that installs the certificate into the local machine store using the IIS extension (e.g. ) -Run the installer If you do this, the installer will fail with the error code 26352. If you remove the cert from the group policy store manually, the installer will run. To fix this, you should just be able to change the calls in the IIS extension source (scacertexec.cpp and scacert.cpp) to CertAddCertificateContextToStore. Instead of using CERT_STORE_ADD_REPLACE_EXISTING, you can use CERT_STORE_ADD_USE_EXISTING. This updates the current cert instead of duplicating it, and the test case detailed above should pass. You will notice that the certificate will be listed in both the registry and group policy physical stores, but I don't think there's anything we can do about that. I haven't tried actually rebuilding the WiX source with this change (since I don't have a build environment set up for it yet), but that's the next step. Anyone have any thoughts on this change? -Original Message- From: Chris Bardon [mailto:[EMAIL PROTECTED] Sent: Monday, October 20, 2008 1:53 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machine fails withcode 26352 I've dug a little deeper into this, written some test code to try to debug the problem, and I've found something interesting. The CertAddCertificateContextToStore function is failing with Access Denied when trying to add the cert with CERT_STORE_ADD_REPLACE_EXISTING, which is failing the installer. This only appears to fail if there are two copies of the same certificate in the store with the same serial number, which may or may not be left there from the installer as well (that's problem #2-problem #1 is not failing the installer in the first place). I tried manually checking the store for duplicates and deleting them before installing (with CertDeleteCertificateFromStore), but this returned Access denied as well. When I tried changing the parameter on the add function to use CERT_STORE_ADD_USE_EXISTING though, it worked without returning an error. It looks like the difference is that replace existing tries to do a delete first, while the use existing version updates the existing cert. The first question is, why is the delete failing? I have admin rights on the machine, and if there are 0 or 1 copies of the cert in the store, the operation works fine. The second question is, why should the certificate be duplicated in the first place? I tried writing code that used CERT_STORE_ADD_ALWAYS, but it still only left me with one copy of the certificate. Is it possible that a call to add a certificate with replacement is adding a new certificate without deleting the old one? Any experts in the crypto API here? If not, does anyone have any thoughts on where else I could look for answers? -Original Message- From: Chris Bardon [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 14, 2008 2:51 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machinefailswith code 26352 That's the impression I get from the documentation as well. Looks like I'll have to have a closer look at that method. I'll let you guys know if I find anything-it seems to be a tricky bug to reproduce. Somehow you have to get the same cert in the store twice. -Original Message- From: Rob Mensching [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2008 4:59 PM To: General discussion for Win
Re: [WiX-users] Certificate install to local machine fails withcode 26352
OK, I think I understand what's going on here. The reason a certificate looked like it was duplicated was that the same cert existed in multiple physical stores, which appeared as the same logical store in the mmc. If the certificate the installer was trying to add already existed in the Group Policy store, then the install would fail, since the user would not have permission to delete from that store (although they can through the MMC). If the cert exists in any other combination of stores, it seems to work. Here's the steps to reproduce -Generate a CA cert -Open mmc, and add the certificates snapin for the local computer -Right click the Certificates (Local Computer) node, and select View->options -Leave the view mode as Logical stores, and check off the Show Physical certificate stores option -Click OK -Expand the Group policy node, right click on the Certificates folder, and select All Tasks->Import -Import your certificate into the store -Create an installer that installs the certificate into the local machine store using the IIS extension (e.g. ) -Run the installer If you do this, the installer will fail with the error code 26352. If you remove the cert from the group policy store manually, the installer will run. To fix this, you should just be able to change the calls in the IIS extension source (scacertexec.cpp and scacert.cpp) to CertAddCertificateContextToStore. Instead of using CERT_STORE_ADD_REPLACE_EXISTING, you can use CERT_STORE_ADD_USE_EXISTING. This updates the current cert instead of duplicating it, and the test case detailed above should pass. You will notice that the certificate will be listed in both the registry and group policy physical stores, but I don't think there's anything we can do about that. I haven't tried actually rebuilding the WiX source with this change (since I don't have a build environment set up for it yet), but that's the next step. Anyone have any thoughts on this change? -Original Message- From: Chris Bardon [mailto:[EMAIL PROTECTED] Sent: Monday, October 20, 2008 1:53 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machine fails withcode 26352 I've dug a little deeper into this, written some test code to try to debug the problem, and I've found something interesting. The CertAddCertificateContextToStore function is failing with Access Denied when trying to add the cert with CERT_STORE_ADD_REPLACE_EXISTING, which is failing the installer. This only appears to fail if there are two copies of the same certificate in the store with the same serial number, which may or may not be left there from the installer as well (that's problem #2-problem #1 is not failing the installer in the first place). I tried manually checking the store for duplicates and deleting them before installing (with CertDeleteCertificateFromStore), but this returned Access denied as well. When I tried changing the parameter on the add function to use CERT_STORE_ADD_USE_EXISTING though, it worked without returning an error. It looks like the difference is that replace existing tries to do a delete first, while the use existing version updates the existing cert. The first question is, why is the delete failing? I have admin rights on the machine, and if there are 0 or 1 copies of the cert in the store, the operation works fine. The second question is, why should the certificate be duplicated in the first place? I tried writing code that used CERT_STORE_ADD_ALWAYS, but it still only left me with one copy of the certificate. Is it possible that a call to add a certificate with replacement is adding a new certificate without deleting the old one? Any experts in the crypto API here? If not, does anyone have any thoughts on where else I could look for answers? -Original Message- From: Chris Bardon [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 14, 2008 2:51 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machinefailswith code 26352 That's the impression I get from the documentation as well. Looks like I'll have to have a closer look at that method. I'll let you guys know if I find anything-it seems to be a tricky bug to reproduce. Somehow you have to get the same cert in the store twice. -Original Message- From: Rob Mensching [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2008 4:59 PM To: General discussion for Windows Installer XML toolset. Subject: Re: [WiX-users] Certificate install to local machine failswith code 26352 This is the code that is failing: if (!::CertAddCertificateContextToStore(hStore, pCertContext, CERT_STORE_ADD_REPLACE_EXISTING, NULL)) { MessageExitOnLastError(hr, msierrCERTFailedAdd, "Failed to add certificate to the store."); } Seems like it *should* replace the certi