From 70d010d285315e5f1cad6bdb4953e167b069b692 Mon Sep 17 00:00:00 2001 From: Dustin Howett Date: Wed, 24 Aug 2022 19:20:43 -0500 Subject: [PATCH] schannel: when importing PFX, disable key persistence By default, the PFXImportCertStore API persists the key in the user's key store (as though the certificate was being imported for permanent, ongoing use.) The documentation specifies that keys that are not to be persisted should be imported with the flag `PKCS12_NO_PERSIST_KEY`. NOTE: this flag is only supported on versions of Windows newer than XP and Server 2003. Fixes #9300 Closes #9363 --- lib/vtls/schannel.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c index 32abcaa744..4ad0ee861d 100644 --- a/lib/vtls/schannel.c +++ b/lib/vtls/schannel.c @@ -186,6 +186,10 @@ #define ALG_CLASS_DHASH ALG_CLASS_HASH #endif +#ifndef PKCS12_NO_PERSIST_KEY +#define PKCS12_NO_PERSIST_KEY 0x00008000 +#endif + static Curl_recv schannel_recv; static Curl_send schannel_send; @@ -676,7 +680,13 @@ schannel_acquire_credential_handle(struct Curl_easy *data, else pszPassword[0] = 0; - cert_store = PFXImportCertStore(&datablob, pszPassword, 0); + if(curlx_verify_windows_version(6, 0, 0, PLATFORM_WINNT, + VERSION_GREATER_THAN_EQUAL)) + cert_store = PFXImportCertStore(&datablob, pszPassword, + PKCS12_NO_PERSIST_KEY); + else + cert_store = PFXImportCertStore(&datablob, pszPassword, 0); + free(pszPassword); } if(!blob) -- 2.47.2