Yeah, I remember this issue. I don't have a good solution. For tests we can just delete the loaded keys at the end of the test but I am not sure it is a good idea for real apps.
Aleksey On 12/28/17 2:14 PM, Miklos Vajna wrote: > Hi, > > I'm experimenting with running the equivalent of 'make check' for an > MSVC build with the mscrypto backend, as part of this I ran into this > issue. E.g. > > make check-crypto-mscrypto > XMLSEC_TEST_NAME="enveloping-sha256-rsa-sha256-relationship" > > fails for the signing part with this: > > func=xmlSecMSCryptoKeyDataAdoptCert:file=..\src\mscrypto\certkeys.c:line=449:obj=unknown:subj=CryptAcquireCertificatePrivateKey:error=4:crypto > library function failed:MSCrypto error: -2146885621: 0x8009200b: Cannot find > the certificate and private key for decryption. > func=xmlSecMSCryptoCertAdopt:file=..\src\mscrypto\certkeys.c:line=912:obj=unknown:subj=xmlSecMSCryptoPCCDataAdoptPCC:error=1:xmlsec > library function failed: > func=xmlSecMSCryptoAppPkcs12LoadMemory:file=..\src\mscrypto\app.c:line=545:obj=x509:subj=xmlSecMSCryptoCertAdopt:error=1:xmlsec > library function failed: > func=xmlSecMSCryptoAppPkcs12Load:file=..\src\mscrypto\app.c:line=451:obj=unknown:subj=xmlSecMSCryptoAppPkcs12LoadMemory:error=1:xmlsec > library function failed: > func=xmlSecMSCryptoAppKeyLoad:file=..\src\mscrypto\app.c:line=146:obj=unknown:subj=xmlSecMSCryptoAppPkcs12Load:error=1:xmlsec > library function failed: > > I've bisected the .p12 loading failure and that lead me to > c098aed450a8ae272efad1fdeaa2450b67a2f46f. So it seems the problem is > that either the private key is persisted, or by the time > CryptAcquireCertificatePrivateKey() would read the private key, it would > read it from the .p12 file again, but at that point it no longer > remembers the provided password. > > Now my question: my understanding is that .p12 files are always > password-protected, so this sounds like currently loading .p12 files > with the mscrypto backend in the app just doesn't work. If so, I wonder > if there is a way to have some 3rd version that allows persistence, but > only till the app runs, not after it (so there would be no leftover > files, nor the failure with CryptAcquireCertificatePrivateKey(). > > I've tried two things: > > - CryptAcquireContext() has a CRYPT_DELETEKEYSET flag which may be > useful here, but I don't know how to get the container/provider of the > HCERTSTORE to use it for the private key loaded from the .p12 file (if > this goal has any meaning :-) ) > - CertDeleteCertificateFromStore() sounded promising, I tried calling > that at the end of while() loop in > xmlSecMSCryptoAppPkcs12LoadMemory(), but that did not eliminate the > problematic temp files in the mentioned folder in the > https://bugzilla.gnome.org/show_bug.cgi?id=633924 bugreport. > > Considering all the above: I wonder if there is a way to handle this > situation (loading private key/cert from .p12 files for test purposes > without creating temp files) properly, or should we just say that the > current situation is broken enough that just going back to not using > PKCS12_NO_PERSIST_KEY is already an improvement? > > Thanks, > > Miklos > _______________________________________________ > xmlsec mailing list > xmlsec@aleksey.com > http://www.aleksey.com/mailman/listinfo/xmlsec > _______________________________________________ xmlsec mailing list xmlsec@aleksey.com http://www.aleksey.com/mailman/listinfo/xmlsec