Qt 5 - qnetwork schannel with non-exportable private key.
-
Hi,
we are evaluating a switch from openssl to the schannel backend (currently still on 5.x). The application is a tcp server and the certificate and private key are in the windows cert store.
As long as the private key is exportable this seems to be ok by passing the QSslCertificate and QSslKey manually from windows cert store (reading it out via CryptAcquireCertificatePrivateKey) to Qt. But it seems there is no Qt API support for non-exportable keys: with schannel it is not needed to pass the private key via the application boundaries, it could also stay in the OS security context.
Am I missing something or is this currently not possible with Qt's schannel implementation?
Thx.
-
Looked into the internals (5.x and 6.x - problem is the same):
On windows with schannel backend and certificates/keys in the windows store the certificates and especially the private keys need to be exported by the application, converted, set as setLocalCert / setPrivateKey, and then internally the Qt schannel implementation generates a temporary windows cert store, imports the stuff, just to get a handle to the cert context.
For non-exportable keys this approach fails, and also from a security perspective there is no need for the private key to be present in application mem. It would be great to have a way to set
const CERT_CONTEXT *localCertContext; // qsslsocket_schannel_p.h in qt5 or qtls_schannel_p.h in qt6
from the outside so that acquireCredentialsHandle will directly use this context and pass it to the SCHANNEL_CRED.
I tried to "poke" it into the object mem, but unfortunately the handshake code calls "reset" right before and sets localCertContext back to nullptr :-)
-
Hi and welcome to devnet,
I think this might be worth a feature request. Did you already check the bug report system to see if there's already something there for that ?
-
Hi, thanks, will enter one - had to understand the problem first.
-