From: Dustin Howett <duhowett@microsoft.com>
Date: Thu, 25 Aug 2022 00:20:43 +0000 (-0500)
Subject: schannel: when importing PFX, disable key persistence
X-Git-Tag: curl-7_85_0~29
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=70d010d;p=thirdparty%2Fcurl.git

schannel: when importing PFX, disable key persistence

By default, the PFXImportCertStore API persists the key in the user's
key store (as though the certificate was being imported for permanent,
ongoing use.)

The documentation specifies that keys that are not to be persisted
should be imported with the flag `PKCS12_NO_PERSIST_KEY`.
NOTE: this flag is only supported on versions of Windows newer than XP
and Server 2003.

Fixes #9300
Closes #9363
---

diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index 32abcaa744..4ad0ee861d 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -186,6 +186,10 @@
 #define ALG_CLASS_DHASH ALG_CLASS_HASH
 #endif
 
+#ifndef PKCS12_NO_PERSIST_KEY
+#define PKCS12_NO_PERSIST_KEY 0x00008000
+#endif
+
 static Curl_recv schannel_recv;
 static Curl_send schannel_send;
 
@@ -676,7 +680,13 @@ schannel_acquire_credential_handle(struct Curl_easy *data,
         else
           pszPassword[0] = 0;
 
-        cert_store = PFXImportCertStore(&datablob, pszPassword, 0);
+        if(curlx_verify_windows_version(6, 0, 0, PLATFORM_WINNT,
+                                        VERSION_GREATER_THAN_EQUAL))
+          cert_store = PFXImportCertStore(&datablob, pszPassword,
+                                          PKCS12_NO_PERSIST_KEY);
+        else
+          cert_store = PFXImportCertStore(&datablob, pszPassword, 0);
+
         free(pszPassword);
       }
       if(!blob)