Removing private key containers from ...\RSA\MachineKeys

[Patrick Tronnier]

Greetings,

Please help. I have done considerable searching and have not found a way to
remove un-needed private key containers from:

C:\Documents and Settings\All Users\Application Data \Microsoft\Crypto
\RSA\MachineKeys.

I found the following comment in a .NET article at MSDN:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncapi/html/pkcs12.asp

"Removing Key Containers

The CryptoAPI function PFXImportCertStore() creates a temporary memory
store, and also new default CSP key container(s). However, the key containers
are persistent, even after the memory store is removed. Therefore, the key
container(s) must be manually deleted after use, if key persistence is not
required. PfxOpen provides the DeleteKeyContainer() function to facilitate
removal of key containers and associated keys. This is implemented using
CryptoAPI CryptAcquireContext() with the CRYPT_DELETEKEYSET flag:

internal bool DeleteKeyContainer(String containername, String provname,
uint provtype)
{
const uint CRYPT_DELETEKEYSET = 0x00000010;
IntPtr hCryptProv = IntPtr.Zero;
if(containername == null || provname == null || provtype == 0)
return false;
if (Win32.CryptAcquireContext(ref hCryptProv, containername, provname,
provtype, CRYPT_DELETEKEYSET)){
return true;
}
else
{
PfxOpen.showWin32Error(Marshal.GetLastWin32Error());
return false;
}
}

Clearly the same APIs exist in the C++ interface. I have implemented some of
this in the Http application, but I don’t see the private key files
disappearing????

My current implementation is:
==================================

HCRYPTPROV hProv = NULL;

DWORD dwcbData;

BOOL bResult = CertGetCertificateContextProperty(pCertContext,
CERT_KEY_PROV_INFO_PROP_ID, NULL, &dwcbData);

CRYPT_KEY_PROV_INFO *pCryptKeyProvInfo = new CRYPT_KEY_PROV_INFO[dwcbData];

bResult = CertGetCertificateContextProperty(pCertContext,
CERT_KEY_PROV_INFO_PROP_ID, pCryptKeyProvInfo, &dwcbData);

char *czContainerName = new
char[strlen(OLE2A(pCryptKeyProvInfo->pwszContainerName))];

char *czProvName = new char[strlen(OLE2A(pCryptKeyProvInfo->pwszProvName))];

strcpy(czContainerName, OLE2A(pCryptKeyProvInfo->pwszContainerName));

strcpy(czProvName, OLE2A(pCryptKeyProvInfo->pwszProvName));

bResult = CryptAcquireContext( &hProv,

NULL,

czProvName,

pCryptKeyProvInfo->dwProvType,

CRYPT_DELETEKEYSET);

DWORD dwError = GetLastError();

Util::ErrorMessage(dwError);

bResult = CryptReleaseContext( hProv, 0);

==================================

Thanks for any assistance and guidance.

Sincerely,

Patrick

[lelteto]

You can cerainly delete key containers using CryptAcquireContext with the
CRYPT_DELETEKEYSET flag.
You can enumerate the (list of) containers using CryptGetProvParam with
PP_ENUMCONTAINERS flag.

Laszlo Elteto
SafeNet, Inc.

[Patrick Tronnier]

The

That CryptAcquireContext call using CRYPT_DELETEKEYSET fails (returns FALSE
) when called with:

czContainerName 0x00ee5e88 "{E3CA04DB-610B-49BC-8A50-A068AC0A9A60}

czProvName 0x00ee5ef0 "Microsoft Strong Cryptographic Provider"

and produces:

Error (80090016): Keyset does not exist

[lelteto]

1. For machine keys you also need to specify the CRYPT_MACHINE_KEYSET flag.
2. Did you enumerate the containers to see if what YOU think the container
name is really there? (Open a default container with CRYPT_MACHINE_KEYSET |
CRYPT_VERIFYCONTEXT then do the enumeration.)

[Patrick Tronnier]

Success! Thanks lelteto.

By just adding the additional flag CRYPT_MACHINE_KEYSET to the call to
CryptAcquireContext (rest of the code as before) the files disappeared.
Thanks a lot for your help! (Is this documented or does Microsoft need to
update their documentation?).

[lelteto]

Yes, it is in the documentation. (CryptAcquireContext flag
CRYPT_MACHINEKEYSET: you ned it for machine keys)

Laszlo