curl/curl
1
1
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-09-17 01:22:41 +03:00
Code Issues Packages Projects Releases Wiki Activity

schannel: when importing PFX, disable key persistence

Browse Source 
By default, the PFXImportCertStore API persists the key in the user's
key store (as though the certificate was being imported for permanent,
ongoing use.)

The documentation specifies that keys that are not to be persisted
should be imported with the flag `PKCS12_NO_PERSIST_KEY`.
NOTE: this flag is only supported on versions of Windows newer than XP
and Server 2003.

Fixes #9300
Closes #9363
This commit is contained in:
Dustin Howett 2022-08-24 19:20:43 -05:00 committed by Daniel Stenberg
parent 3f98eaafa0
commit 70d010d285
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lib/vtls/schannel.c
View File

@ -186,6 +186,10 @@
#define ALG_CLASS_DHASH ALG_CLASS_HASH
#endif
#ifndef PKCS12_NO_PERSIST_KEY
#define PKCS12_NO_PERSIST_KEY 0x00008000
#endif
static Curl_recv schannel_recv;
static Curl_send schannel_send;
@ -676,7 +680,13 @@ schannel_acquire_credential_handle(struct Curl_easy *data,
else
pszPassword[0] = 0;
cert_store = PFXImportCertStore(&datablob, pszPassword, 0);
if(curlx_verify_windows_version(6, 0, 0, PLATFORM_WINNT,
VERSION_GREATER_THAN_EQUAL))
cert_store = PFXImportCertStore(&datablob, pszPassword,
PKCS12_NO_PERSIST_KEY);
else
cert_store = PFXImportCertStore(&datablob, pszPassword, 0);
free(pszPassword);
}
if(!blob)