Schannel: Fix import of PKCS12/PFX files with CSP bag attribute

Use the PKCS12_ALWAYS_CNG_KSP flag instead of PKCS12_PREFER_CNG_KSP
when importing a PKCS12/PFX file to make sure the private keys are
stored in the Key Storage Provider, so that the
CERT_NCRYPT_KEY_HANDLE_PROP_ID property is set on the associated
certificate and the subsequent query for it succeeds.

Background: If the PFX file contains a Crypto Service Provider (CSP)
bag attribute and PFXImportCertStore is called with the
PKCS12_PREFER_CNG_KSP flag, then the private keys are stored in the
CSP that is referenced in the bag attribute and the key is only
accessible through the deprecated API.

Change-Id: If2ad2fa6a7b20f02e40fc49c98e3a72b68d832f2
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
This commit is contained in:
Tobias Koenig 2025-04-23 06:00:31 +02:00
parent a27bc0a70d
commit e016730b93

View File

@ -68,7 +68,7 @@ bool X509CertificateSchannel::importPkcs12(QIODevice *device, QSslKey *key, QSsl
const auto password = QString::fromUtf8(passPhrase);
const DWORD flags = (CRYPT_EXPORTABLE | PKCS12_NO_PERSIST_KEY | PKCS12_PREFER_CNG_KSP);
const DWORD flags = (CRYPT_EXPORTABLE | PKCS12_NO_PERSIST_KEY | PKCS12_ALWAYS_CNG_KSP);
auto certStore = QHCertStorePointer(PFXImportCertStore(&dataBlob,
reinterpret_cast<LPCWSTR>(password.utf16()),