Fix for Windows unable to acquire crypt context with new keyset (fixes #387)

Fix is based on guidance https://support.microsoft.com/en-us/help/238187/cryptacquirecontext-use-and-troubleshooting and is the proper fix for #285/#286
2025-01-02 22:50:20 +00:00 · 2019-11-29 12:20:28 -08:00 · 2019-11-29 12:20:28 -08:00 · a8b6ff5763
commit a8b6ff5763
parent 73a0e3a932
2 changed files with 27 additions and 6 deletions
--- a/3
+++ b/3
@ -1,5 +1,8 @@
 2020-01-14  Jay Berkenbilt  <ejb@ql.org>

+	* Fix for Windows being unable to acquire crypt context with a new
+	keyset. Thanks to Cloudmersive for the fix. Fixes #387.
+
 	* Rewrite fix-qdf in C++. This means fix-qdf is a proper
 	executable now, and there is no longer a runtime requirement on
 	perl.
--- a/libqpdf/SecureRandomDataProvider.cc
+++ b/libqpdf/SecureRandomDataProvider.cc
@ -46,7 +46,7 @@ class WindowsCryptProvider
                                 "Container",
                                 NULL,
                                 PROV_RSA_FULL,
-                                 0))
+                                 CRYPT_MACHINE_KEYSET))
        {
 #if ((defined(__GNUC__) && ((__GNUC__ * 100) + __GNUC_MINOR__) >= 406) || \
     defined(__clang__))
@ -56,28 +56,46 @@ class WindowsCryptProvider
 #           pragma GCC diagnostic ignored "-Wsign-conversion"
 #endif
            if (GetLastError() == NTE_BAD_KEYSET)
-#if ((defined(__GNUC__) && ((__GNUC__ * 100) + __GNUC_MINOR__) >= 406) || \
-     defined(__clang__))
-#           pragma GCC diagnostic pop
-#endif
            {
                if (! CryptAcquireContext(&crypt_prov,
                                          "Container",
                                          NULL,
                                          PROV_RSA_FULL,
-                                          CRYPT_NEWKEYSET))
+                                          CRYPT_NEWKEYSET|CRYPT_MACHINE_KEYSET))
                {
                    throw std::runtime_error(
                        "unable to acquire crypt context with new keyset: " +
                        getErrorMessage());
                }
            }
+            else if (GetLastError() == NTE_EXISTS)
+            {
+                throw std::runtime_error(
+                    "unable to acquire crypt context; the key container"
+                    " already exists, but you are attempting to create it."
+                    " If a previous attempt to open the key failed with"
+                    " NTE_BAD_KEYSET, it implies that access to the key"
+                    " container is denied. Error: " + getErrorMessage());
+            }
+            else if (GetLastError() == NTE_KEYSET_NOT_DEF)
+            {
+                throw std::runtime_error(
+                    "unable to acquire crypt context; the Crypto Service"
+                    " Provider (CSP) may not be set up correctly. Use of"
+                    " Regsvr32.exe on CSP DLLs (Rsabase.dll or Rsaenh.dll)"
+                    " may fix the problem, depending on the provider being"
+                    " used. Error: " + getErrorMessage());
+            }
            else
            {
                throw std::runtime_error(
                    "unable to acquire crypt context: " +
                    getErrorMessage());
            }
+#if ((defined(__GNUC__) && ((__GNUC__ * 100) + __GNUC_MINOR__) >= 406) || \
+     defined(__clang__))
+#           pragma GCC diagnostic pop
+#endif
        }
    }
    ~WindowsCryptProvider()