Schannel: Fix import of PKCS12/PFX files with CSP bag attribute

Use the PKCS12_ALWAYS_CNG_KSP flag instead of PKCS12_PREFER_CNG_KSP when importing a PKCS12/PFX file to make sure the private keys are stored in the Key Storage Provider, so that the CERT_NCRYPT_KEY_HANDLE_PROP_ID property is set on the associated certificate and the subsequent query for it succeeds. Background: If the PFX file contains a Crypto Service Provider (CSP) bag attribute and PFXImportCertStore is called with the PKCS12_PREFER_CNG_KSP flag, then the private keys are stored in the CSP that is referenced in the bag attribute and the key is only accessible through the deprecated API. Change-Id: If2ad2fa6a7b20f02e40fc49c98e3a72b68d832f2 Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
2025-04-23 06:00:31 +02:00 · 2025-04-23 06:00:31 +02:00 · e016730b93
commit e016730b93
parent a27bc0a70d
1 changed files with 1 additions and 1 deletions
--- a/src/plugins/tls/schannel/qx509_schannel.cpp
+++ b/src/plugins/tls/schannel/qx509_schannel.cpp
@ -68,7 +68,7 @@ bool X509CertificateSchannel::importPkcs12(QIODevice *device, QSslKey *key, QSsl

    const auto password = QString::fromUtf8(passPhrase);

-    const DWORD flags = (CRYPT_EXPORTABLE | PKCS12_NO_PERSIST_KEY | PKCS12_PREFER_CNG_KSP);
+    const DWORD flags = (CRYPT_EXPORTABLE | PKCS12_NO_PERSIST_KEY | PKCS12_ALWAYS_CNG_KSP);

    auto certStore = QHCertStorePointer(PFXImportCertStore(&dataBlob,
                                                           reinterpret_cast<LPCWSTR>(password.utf16()),