MS CryptoAPI - Machine Keystore with Error 0x80090016 (NTE_BAD_KEYSET) with certreq created keys

核能气质少年 提交于 2019-12-24 12:43:53

问题


Summary

I create a PKCS#10 CSR with certreq and have set the option Exportable=TRUE. This successfully creates a key under the location REQUEST. I also have a valid certificate with key in MY. If I try to access any one of them the CryptoAPI reports error code 0x80090016.

Running under different access rights could not solve this problem so far.

Goal

My goal is to get both the keys in MY and REQUEST. If I call CryptAcquireContextA() on any of those, it fails.

System

Windows 7 x64

Sample Source Code

My complete code looks like this:

hStore = CertOpenStore(CERT_STORE_PROV_SYSTEM_A, 0, 0, CERT_SYSTEM_STORE_LOCAL_MACHINE, "REQUEST");
pCert = CertFindCertificateInStore(hStore, X509_ASN_ENCODING, 0, CERT_FIND_SUBJECT_STR_A, "CERTIFICATE_SUBJECT", NULL);

CertGetCertificateContextProperty(pCert, CERT_KEY_PROV_INFO_PROP_ID, NULL, &len);
pinfo = (CRYPT_KEY_PROV_INFO *) malloc(len);
CertGetCertificateContextProperty(pCert, CERT_KEY_PROV_INFO_PROP_ID, pinfo, &len);

provname = wide_to_asc(pinfo->pwszProvName);
contname = wide_to_asc(pinfo->pwszContainerName);

if(!CryptAcquireContextA(&hCryptProv, contname, provname, pinfo->dwProvType, 0)) {
    err = GetLastError();
    fprintf(stderr, "Error: 0x%x\n", err);
}
CryptGetUserKey(hCryptProv, pinfo->dwKeySpec, &hUserkey);

This code is mostly copied from the OpenSSL capi engine. Since the engine failed, I created the smallest possible code to search the error.

The error

If I run this, it fails with the output Error: 0x80090016. This means one of three things according to Microsoft:

  • Key container does not exist.
  • You do not have access to the key container.
  • The Protected Storage Service is not running.

What have I done so far?

  • Started service "Protected Storage"
  • Verified container exists with MMC & Certificate Snap-In for Local Computer
  • Ran the same code on the User store in user context - it worked

File System Permissions

After some googling, I tried to change permissions on the file system. I found the files by looking at the contname variable of my code and searching for the file. I changed permissions on them (more accurate, I changed permissions on the parent folder). While this fixed the issue for MY, it seems I cannot change it for REQUEST.

One note here is that my container for MY seems to be here:

%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1650336054-1974872081-316617838-545102

For REQUEST I found it under a different address:

%ALLUSERSPROFILE%\Microsoft\Crypto\RSA\MachineKeys

I am not sure on the workings here so I cannot explain why it would put them in different locations (one being user centric, the other one a system folder). The MY store was created with a regular administrator prompt and the command certreq -new inf_file.inf cert-csr.csr and after I received my certificate, I issued certreq -accept cert.pem. Then I created a new csr with the same command.

Different privilege levels

I tried to execute my program with the following privileges:

  • my local user account
  • admin prompt (cmd->start as administrator)
  • nt authority\system (whoami output)

To recieve a service prompt, I executed psexec.exe –ids cmd.exe according to a tip from MaaSters Center

Final words

Any help or guidance on how to further narrow this problem down will be greatly appreciated.


回答1:


I was finally able to solve this problem and it is a lot simpler than I thought. I was sure that I would receive an unambiguous container name and don't need to be more specific but CryptAcquireContext actually requires me to pass a flag CRYPT_MACHINE_KEYSET.

So my function call has to look like this:

CryptAcquireContextA(&hCryptProv, contname, provname, pinfo->dwProvType, CRYPT_MACHINE_KEYSET)

Unfortunately this is not supported by the OpenSSL engine, so you would have to alter it yourself in the engine.




回答2:


See MSDN: "A key container created without this flag by a user that is not an administrator can be accessed only by the user creating the key container and the local system account."

Complete details here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa379886(v=vs.85).aspx



来源:https://stackoverflow.com/questions/11507961/ms-cryptoapi-machine-keystore-with-error-0x80090016-nte-bad-keyset-with-cert

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!