[PATCH v4 0/1] MR8894: crypt32: Accept PKCS12_ALWAYS_CNG_KSP flag and fall back to standard import.
Some applications (including .NET Core) specify the PKCS12_ALWAYS_CNG_KSP flag when calling PFXImportCertStore. According to Microsoft's documentation, this flag indicates that the CNG key storage provider should always be used, but if it is not available the import will not fail.
Wine does not implement a CNG KSP, so instead of failing we simply ignore the flag and continue with the existing import path. A FIXME trace is printed for visibility.
Notably, .NET Core automatically adds PKCS12_ALWAYS_CNG_KSP when the ephemeral key storage flag (X509KeyStorageFlags.EphemeralKeySet) is used. Without support for this flag, certificate import fails in ASP.NET Core applications using Kestrel with ephemeral server certificates.
This improves compatibility with .NET and other applications expecting this flag to be accepted without error.
-- v4: crypt32: Accept PKCS12_ALWAYS_CNG_KSP flag and fall back to standard import.
From: Christian Tinauer christian.tinauer@gmail.com
Some applications (including .NET Core) specify the PKCS12_ALWAYS_CNG_KSP flag when calling PFXImportCertStore. According to Microsoft's documentation, this flag indicates that the CNG key storage provider should always be used, but if it is not available the import will not fail.
Wine does not implement a CNG KSP, so instead of failing we simply ignore the flag and continue with the existing import path. A WARN trace is printed for visibility.
Notably, .NET Core automatically adds PKCS12_ALWAYS_CNG_KSP when the ephemeral key storage flag (X509KeyStorageFlags.EphemeralKeySet) is used. Without support for this flag, certificate import fails in ASP.NET Core applications using Kestrel with ephemeral server certificates.
This improves compatibility with .NET and other applications expecting this flag to be accepted without error.
Address reviewer feedback: FIXME instead of WARN, changed tests. --- dlls/crypt32/pfx.c | 6 +++++- dlls/crypt32/tests/store.c | 10 ++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/dlls/crypt32/pfx.c b/dlls/crypt32/pfx.c index 54eb7f25e1b..a5a5e4b9087 100644 --- a/dlls/crypt32/pfx.c +++ b/dlls/crypt32/pfx.c @@ -152,11 +152,15 @@ HCERTSTORE WINAPI PFXImportCertStore( CRYPT_DATA_BLOB *pfx, const WCHAR *passwor SetLastError( ERROR_INVALID_PARAMETER ); return NULL; } - if (flags & ~(CRYPT_EXPORTABLE|CRYPT_USER_KEYSET|CRYPT_MACHINE_KEYSET|PKCS12_NO_PERSIST_KEY)) + if (flags & ~(CRYPT_EXPORTABLE|CRYPT_USER_KEYSET|CRYPT_MACHINE_KEYSET|PKCS12_NO_PERSIST_KEY|PKCS12_ALWAYS_CNG_KSP)) { FIXME( "flags %08lx not supported\n", flags ); return NULL; } + if (flags & PKCS12_ALWAYS_CNG_KSP) + { + FIXME( "flag PKCS12_ALWAYS_CNG_KSP ignored\n" ); + } if (CRYPT32_CALL( open_cert_store, &open_params )) return NULL;
prov = import_key( data, flags ); diff --git a/dlls/crypt32/tests/store.c b/dlls/crypt32/tests/store.c index 3c0b6a166e1..1a899d1f1cd 100644 --- a/dlls/crypt32/tests/store.c +++ b/dlls/crypt32/tests/store.c @@ -3370,6 +3370,16 @@ static void test_PFXImportCertStore(void)
CertFreeCertificateContext( cert ); CertCloseStore( store, 0 ); + + /* PKCS12_NO_PERSIST_KEY|PKCS12_ALWAYS_CNG_KSP */ + store = PFXImportCertStore( &pfx, NULL, PKCS12_NO_PERSIST_KEY|PKCS12_ALWAYS_CNG_KSP ); + ok( store != NULL, "got %lu\n", GetLastError() ); + + cert = CertFindCertificateInStore( store, X509_ASN_ENCODING, 0, CERT_FIND_ANY, NULL, NULL ); + ok( cert != NULL, "got %08lx\n", GetLastError() ); + + CertFreeCertificateContext( cert ); + CertCloseStore( store, 0 ); }
static void test_CryptQueryObject(void)
I think it should be squashed now.
This merge request was approved by Hans Leidekker.
-
Christian Tinauer -
Christian Tinauer (@christiantinauer)
-
Hans Leidekker (@hans)