LPCSTR UserName = "MyName";
if (RCRYPT_FAILED(CryptAcquireContext(&hCryptProv, UserName,
MS_ENHANCED_PROV, PROV_RSA_FULL, 0) ) ){
if(GetLastError() == NTE_BAD_KEYSET){
if (RCRYPT_FAILED(CryptAcquireContext(&hCryptProv, UserName,
MS_ENHANCED_PROV,
PROV_RSA_FULL, CRYPT_NEWKEYSET) ) ){
printf("Could not get crypto context %x",GetLastError() );
#############ERROR###########
}
else{
return TRUE;
}
}
}
else{
return TRUE;
}
return FALSE;
Thanks,
Sachin
You will need to try a different key container name.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"sachin" <mishr...@hotmail.com> wrote in message
news:uagw$byNEH...@TK2MSFTNGP11.phx.gbl...
Thanks,
Sachin
"Sergio Dutra [MS]" <ser...@online.microsoft.com> wrote in message
news:OcyGyZ3N...@TK2MSFTNGP10.phx.gbl...
Any help will be appreciated.
I have attached a sample piece of code where I have the following 4 functions:
-loadCertificate takes in a hash and fills up PCRYPT_KEY_PROV_INFO struct
-ms2opensslX509 makes an ssl x509 cert out of it.
-ms2opensslRSANoPrivateKey tries to acquire the context
based on the information returned in PCRYPT_KEY_PROV_INFO.
However that function call fails when used on machine bootup.
The objective was to use the machine certificate on boot up for
authentication. The code that worked for machine and user
authentication (TLS) worked when the user had already logged in
and performed authentication through a desktop utility.
However, it fails "sometimes" when run in a service on boot up.
In the code below why does getCryptProv fail sometimes with error
key set does not exist. What is a workaround for that?
I tried CryptAcquireContext with CRYPT_NEWKEYSET flag if
it failed with NTE_BAD_KEYSET. That did not resolve it.
*/
static int loadCertificate( PCRYPT_HASH_BLOB pHash)
{
//....continued.....
DWORD keyFlags = 0;
if (pHash == NULL)
{
DWORD propId = CERT_KEY_PROV_INFO_PROP_ID;
if ( ( pCertContext = CertFindCertificateInStore
( hSystemStoreHandle,
X509_ASN_ENCODING,
0,
CERT_FIND_PROPERTY,
&propId,
pCertContext ) ) == NULL )
{
dbprint("Could not find a certificate with a NULL hash.\n");
res = 0;
goto end;
}
}
else
{
if ( ( pCertContext = CertFindCertificateInStore
( hSystemStoreHandle,
X509_ASN_ENCODING,
0,
CERT_FIND_HASH,
pHash,
pCertContext ) ) == NULL )
{
dbprint("Could not find a certificate with a given hash.\n");
res = 0;
goto end;
}
}
CertGetCertificateContextProperty(pCertContext,
CERT_KEY_PROV_INFO_PROP_ID, NULL, &cbData);
if ((pinfo = (PCRYPT_KEY_PROV_INFO)malloc(cbData)) == NULL)
{
res = 0;
goto end;
}
if (!CertGetCertificateContextProperty(pCertContext, CERT_KEY_PROV_INFO_PROP_ID,
pinfo, &cbData))
{
dbprint("Error in CertGetCertificateContextProperty (%x)\n", GetLastError());
res = 0;
goto end;
}
cert = ms2opensslX509(pCertContext->pbCertEncoded, pCertContext->cbCertEncoded);
if (SSL_use_certificate(con, cert) != 1)
{
dbprint("Error in SSL_use_certificate\n");
res = 0;
goto end;
}
if ( global.machineKeyset )
{
keyFlags |= CRYPT_MACHINE_KEYSET;
}
key = ms2opensslRSANoPrivateKey(pinfo, keyFlags);
if (key == NULL) {
res = 0;
dbprint( "ms2opensslRSANoPrivateKey did not return a key\n" );
goto end;
}
//....continued.....
}
RSA *ms2opensslRSANoPrivateKey(PCRYPT_KEY_PROV_INFO pinfo, int flags)
{
//....continued.....
MSKeyContext *ctx;
if ((ctx = malloc(sizeof(MSKeyContext))) == NULL)
{
goto err;
}
if ((ctx->hCryptProv = getCryptProv(pinfo, flags)) == 0)
{
//!!!!!!!!!!!!!!! FAILS SOMETIMES WHY??!!!!!!!!!!!!!!//
// Error message is that a keyset does not exist //
// Why can it not find it? //
goto err;
}
//....continued.....
}
static HCRYPTPROV getCryptProv(PCRYPT_KEY_PROV_INFO pinfo, int flags)
{
HCRYPTPROV hProv = 0;
if(!CryptAcquireContext(
&hProv,
pinfo->pwszContainerName,
NULL,
pinfo->dwProvType,
flags))
{
//dbprint( "CrypAcquireContext failed\n" );
}
return hProv;
}
--
Yasir Ali
Software Engineer
Meetinghouse Data Communications
- hao
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Yasir Ali" <Yasi...@discussions.microsoft.com> wrote in message
news:A16B7A19-2686-4F79...@microsoft.com...
If you get a combination of NTE_BAD_KEYSET and NTE_KEY_EXISTS for 0 and
CRYPT_NEWKEYSET with machine keys, it normally indicates you dont have the
correct ACLs on the key containers.
--
Thanks,
Ryan Menezes [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Yasir Ali" <Yasi...@discussions.microsoft.com> wrote in message
news:A16B7A19-2686-4F79...@microsoft.com...
As I stated earlier, the issue that I am trying to resolve is to do a TLS authentication on bootup (before windows log on) using a service.
What steps do I need to take to ensure that I have access to the correct key containers in that service?
regards,
Yasir
--
Yasir Ali
Software Engineer
Meetinghouse Data Communications
1. Admin changes the user's password
2. XP client w/t NT 4 server
3. XP client w/t Novel server that has not been updated to latest client
--
Thanks,
Ryan Menezes [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Yasir Ali" <Yasi...@discussions.microsoft.com> wrote in message
news:09B1B5F2-1B38-4CF8...@microsoft.com...