Schannel: Fix import of PKCS12/PFX files with CSP bag attribute
Use the PKCS12_ALWAYS_CNG_KSP flag instead of PKCS12_PREFER_CNG_KSP when importing a PKCS12/PFX file to make sure the private keys are stored in the Key Storage Provider, so that the CERT_NCRYPT_KEY_HANDLE_PROP_ID property is set on the associated certificate and the subsequent query for it succeeds. Background: If the PFX file contains a Crypto Service Provider (CSP) bag attribute and PFXImportCertStore is called with the PKCS12_PREFER_CNG_KSP flag, then the private keys are stored in the CSP that is referenced in the bag attribute and the key is only accessible through the deprecated API. Change-Id: If2ad2fa6a7b20f02e40fc49c98e3a72b68d832f2 Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
This commit is contained in:
parent
a27bc0a70d
commit
e016730b93
@ -68,7 +68,7 @@ bool X509CertificateSchannel::importPkcs12(QIODevice *device, QSslKey *key, QSsl
|
||||
|
||||
const auto password = QString::fromUtf8(passPhrase);
|
||||
|
||||
const DWORD flags = (CRYPT_EXPORTABLE | PKCS12_NO_PERSIST_KEY | PKCS12_PREFER_CNG_KSP);
|
||||
const DWORD flags = (CRYPT_EXPORTABLE | PKCS12_NO_PERSIST_KEY | PKCS12_ALWAYS_CNG_KSP);
|
||||
|
||||
auto certStore = QHCertStorePointer(PFXImportCertStore(&dataBlob,
|
||||
reinterpret_cast<LPCWSTR>(password.utf16()),
|
||||
|
Loading…
x
Reference in New Issue
Block a user