From e016730b93d8bca1a07a651863c7de2bf05b5819 Mon Sep 17 00:00:00 2001 From: Tobias Koenig Date: Wed, 23 Apr 2025 06:00:31 +0200 Subject: [PATCH] Schannel: Fix import of PKCS12/PFX files with CSP bag attribute MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use the PKCS12_ALWAYS_CNG_KSP flag instead of PKCS12_PREFER_CNG_KSP when importing a PKCS12/PFX file to make sure the private keys are stored in the Key Storage Provider, so that the CERT_NCRYPT_KEY_HANDLE_PROP_ID property is set on the associated certificate and the subsequent query for it succeeds. Background: If the PFX file contains a Crypto Service Provider (CSP) bag attribute and PFXImportCertStore is called with the PKCS12_PREFER_CNG_KSP flag, then the private keys are stored in the CSP that is referenced in the bag attribute and the key is only accessible through the deprecated API. Change-Id: If2ad2fa6a7b20f02e40fc49c98e3a72b68d832f2 Reviewed-by: MÃ¥rten Nordheim --- src/plugins/tls/schannel/qx509_schannel.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/plugins/tls/schannel/qx509_schannel.cpp b/src/plugins/tls/schannel/qx509_schannel.cpp index d9d82dce29f..47d11b82551 100644 --- a/src/plugins/tls/schannel/qx509_schannel.cpp +++ b/src/plugins/tls/schannel/qx509_schannel.cpp @@ -68,7 +68,7 @@ bool X509CertificateSchannel::importPkcs12(QIODevice *device, QSslKey *key, QSsl const auto password = QString::fromUtf8(passPhrase); - const DWORD flags = (CRYPT_EXPORTABLE | PKCS12_NO_PERSIST_KEY | PKCS12_PREFER_CNG_KSP); + const DWORD flags = (CRYPT_EXPORTABLE | PKCS12_NO_PERSIST_KEY | PKCS12_ALWAYS_CNG_KSP); auto certStore = QHCertStorePointer(PFXImportCertStore(&dataBlob, reinterpret_cast(password.utf16()),