Re: CertAddCertificateContextToStore CERT_STORE_ADD_REPLACE_EXISTING crashing CertGetCertificateContextProperty

After trying to come up with a minimal sample, It looks like the
problem may not occur until the certificate is freed. The call to
CryptFindCertificateKeyProvInfo is returning TRUE that it found a
private key for the public-key-only certificate:

-----------------------------------------------------------------------------------------

void import(_TCHAR* filename, PCCERT_CONTEXT* result)
{
HANDLE cf = CreateFile(filename, GENERIC_READ,
0, NULL, OPEN_EXISTING, 0, NULL);
if (cf != INVALID_HANDLE_VALUE)
{
DWORD len = GetFileSize(cf, NULL);
BYTE* cfData = new BYTE[len];
if (cfData)
{
ReadFile(cf, cfData, len, &len, NULL);

CRYPT_DATA_BLOB cdb = { len, cfData };
HCERTSTORE store = PFXImportCertStore(&cdb,
_T("SSLCertificateDemo"), CRYPT_USER_KEYSET | CRYPT_EXPORTABLE);
PCCERT_CONTEXT cert = CertEnumCertificatesInStore(store, NULL);

HCERTSTORE dest = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, NULL,
CERT_STORE_OPEN_EXISTING_FLAG | CERT_SYSTEM_STORE_CURRENT_USER,
L"My");
CertAddCertificateContextToStore(dest, cert,
CERT_STORE_ADD_REPLACE_EXISTING, result);

CertFreeCertificateContext(cert);
CertCloseStore(store, 0);
CertCloseStore(dest, 0);

delete[] cfData;
}
CloseHandle(cf);
}
}

int _tmain(int argc, _TCHAR* argv[])
{
CRYPT_KEY_PROV_INFO provInfo;
BYTE overflow[1024]; // don't do this
PCCERT_CONTEXT cert;

import(_T("\\output.pfx"), &cert);
CertFreeCertificateContext(cert);

//same cert; no private key
import(_T("\\outputPublic.pfx"), &cert);
BOOL keyResult = CryptFindCertificateKeyProvInfo(cert, 0, NULL);

DWORD pcbData = sizeof(overflow) / 2;
memset(&provInfo, NULL, sizeof(provInfo));
memset(overflow, NULL, sizeof(overflow));
SetLastError(0);
BOOL propResult = CertGetCertificateContextProperty(cert,
CERT_KEY_PROV_INFO_PROP_ID, &provInfo, &pcbData);
DWORD err = GetLastError();

CertFreeCertificateContext(cert);

return 0;
}
.

Relevant Pages

  • Re: ADFS Token-signing Certs Not in Trusted Root Store
    ... This is good info, Joe. ... So now I know that the token-signing certificate is ... Get a signing cert from a CA ... case, you never have to worry about expiration or CRL checking, as your cert ...
    (microsoft.public.windows.server.active_directory)
  • Re: Issues with SSL on Win CE 5.0
    ... the HKCU certificate store. ... and tell the web server to use it. ... The old cert was in. ...
    (microsoft.public.windowsce.embedded)
  • Re: Accessing certificate store from ASP.NET web project
    ... the cert must be in the local computer/personal) store - it will then open ... Have a look at the source code to open the right cert store... ... One of the locations requires a x509 certificate in order ... different user context than my vb.net web project. ...
    (microsoft.public.dotnet.security)
  • Re: Dummies Guide for RADIUS/Certs
    ... I have set up IAS. ... client computers impacts certificate enrollment. ... configure Group Policy for domain member wireless clients so ... Cert Templates that is now enrolled on the IAS server. ...
    (microsoft.public.internet.radius)
  • Re: Web Certificate for IIS Server on SBS Domain
    ... Before your reply, I actually ran across rapidssl myself, and have ordered and installed the free 30-day certificate on my site. ... I explained what you'd told me about putting my existing configuration at risk by installing Cert Services, and he said he didn't know that. ... Again, if you're just needing a cert to install on your web server to provide SSL connectivity for remote users, go with an external third-party provider. ... When you add Certificate Services on an internal network, lots of internal communications will start using pieces provided by the Cert Server instead of the defaults from Server 2003, and when things blow up, they can blow up gloriously. ...
    (microsoft.public.windows.server.sbs)