Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-131483

QSslSocket on windows schannel: add API to provide CERT_CONTEXT handle from outside

    XMLWordPrintable

Details

    • Suggestion
    • Resolution: Unresolved
    • Not Evaluated
    • None
    • 5.15, 6.8.0
    • Network: SSL
    • None

    • Windows with schannel backend

    • Windows

    Description

      For server applications we need to set local certificate and private key on QSslSocket. When using schannel on windows those are typically already in the windows cert store. 

      Instead of adding code to read out cert/key from windows cert store, convert them to DER, and then set them so that internally the QT implementation can generate a CERT_CONTEXT from it it would be better to provide a way to set CERT_CONTEXT* directly. See "localCertContext" in acquireCredentialsHandle. 

      This would also be a (the only) solution to support "non-exportable private keys" - which can be accessed by schannel but cannot be read-out/imported. With schannel there is really no need to have the private key in application memory, this is also a security issue.

       

      See
      https://forum.qt.io/topic/159800/qt-5-qnetwork-schannel-with-non-exportable-private-key

      Error code "NTE_BAD_KEY_STATE" in 
      [CryptExportKey function (wincrypt.h) - Win32 apps | Microsoft Learn|https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptexportkey]

       

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            manordheim Mårten Nordheim
            steve82736123 Stefan Brabec
            Votes:
            2 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There are no open Gerrit changes