Re: CryptAcquireContext - Object already exists Error

From: Ryan Menezes [MSFT] (ryanmen_at_online.microsoft.com)
Date: 09/27/04

• Next message: Rhett Gong [MSFT]: "Re: CryptAcquireContext fails with error 6 (The handle is invalid)"
• Previous message: Pieter Philippaerts: "Re: How to decrypt encrypted PVK file ?"
• In reply to: Carmit: "Re: CryptAcquireContext - Object already exists Error"
• Next in thread: lelteto: "RE: CryptAcquireContext - Object already exists Error"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 26 Sep 2004 16:03:09 -0700

here's a brief outline on what you might want to do to get this to work.

// Get existing ACLs for the file
CryptGetProvParam(hProv,PP_KEYSET_SEC_DESCR, (BYTE*)sd, &size,
DACL_SECURITY_INFORMATION);

//retrieve the DACL from SD
ACL *dacl = GetDacl(sd);

// Initialize an EXPLICIT_ACCESS structure for an ACE. to allow the user
read access to the container.
 ea[0].grfAccessPermissions = FILE_READ_DATA;
<...> some other settings..
 ea[0].Trustee.ptstrName = (LPTSTR) pSid; <-----supply the user sid here
from LookupAccountName()

 // Create a new ACL that contains the new ACEs + old ones
dwRes = SetEntriesInAcl(1, ea, dacl, &pACL);

// Initialize a security descriptor.
InitializeSecurityDescriptor(pSD, ...))

// Add the new ACL to the security descriptor.
SetSecurityDescriptorDacl(pSD,TRUE,pACL,FALSE))

//finally set the DACL on the container
CryptSetProvParam(hProv, PP_KEYSET_SEC_DESCR, (BYTE*)pSD,
DACL_SECURITY_INFORMATION))

-- 
Thanks,
Ryan Menezes [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Carmit" <carmitm@mail.com> wrote in message
news:1d4a1841.0409260024.994293a@posting.google.com...
> Thanks for your answer.
> I'm not sure how to use CryptSetProvParam.
> In Microsoft Knowledge Base Article - 238187 (CryptAcquireContext()
> use and troubleshooting):
> http://support.microsoft.com/default.aspx?scid=238187
> They say that if your code will run under more than one security
> context, you must give the appropriate users access to your container.
> This is done by calling the CryptSetProvParam function with the
> PP_KEYSET_SEC_DESCR flag after the container is created.
> But in the example I miss the part creating the security descriptor.
> Do you have any ideas?
>
> Thanks again,
> Carmit
>
>
>
> "Ryan Menezes [MSFT]" <ryanmen@online.microsoft.com> wrote in message
news:<#7k5YeaoEHA.1816@TK2MSFTNGP09.phx.gbl>...
> > If the two accesses to the container (1) from ASP page and (2) from VB
> > application happen under different user contexts, which I guess is what
is
> > happening, the two acquire context calls will fail. This is because the
key
> > container is not correctly ACLed for the second case. You should
consider
> > using CryptSetProvParam(PP_KEYSET_SEC_DESCR) to ACL the key container
for
> > other users.
> >
> > -- 
> > Thanks,
> > Ryan Menezes [MS]
> > This posting is provided "AS IS" with no warranties, and confers no
rights.
> >
> >
> > "Carmit" <carmitm@mail.com> wrote in message
> > news:1d4a1841.0409230122.2f7bbee1@posting.google.com...
> > > Hi,
> > >
> > > I'm trying to use Crypto API in a COM object.
> > >
> > > Here is some of my code:
> > >
> > > if(!CryptAcquireContext(&hCryptProv, password, NULL, PROV_RSA_FULL,
> > > CRYPT_MACHINE_KEYSET))
> > > {
> > > //need to create a new key container
> > > if(!CryptAcquireContext(&hCryptProv, password, NULL, PROV_RSA_FULL,
> > > CRYPT_NEWKEYSET | CRYPT_MACHINE_KEYSET ))
> > > {
> > > hr = E_FAIL;
> > >                         ...
> > > return hr;
> > > }
> >
> > > }
> > > }
> > >
> > >
> > > When trying to use my COM object from an ASP web page everything is
> > > great, but when I'm trying to use it from another application (let's
> > > say a VB application), I get an error that my key container already
> > > exists.
> > >
> > > I understood that using CRYPT_MACHINE_KEYSET flag should allow me to
> > > use this key container from different applications on the same
> > > machine.
> > >
> > > Any help would be appriciated.
> > >
> > > Thanks,
> > > Carmit

---

• Next message: Rhett Gong [MSFT]: "Re: CryptAcquireContext fails with error 6 (The handle is invalid)"
• Previous message: Pieter Philippaerts: "Re: How to decrypt encrypted PVK file ?"
• In reply to: Carmit: "Re: CryptAcquireContext - Object already exists Error"
• Next in thread: lelteto: "RE: CryptAcquireContext - Object already exists Error"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: CryptAcquireContext fails with error 6 (The handle is invalid) ... As far as why both accounts are not part of the IIS_WPG I did not research ... any potential problem just give both accounts access to the key container. ... | from the beginning and, indeed, NETWORK SERVICE" and "LOCAL SERVICE" ... (microsoft.public.platformsdk.security) Re: AES Initialization Vectors dont seem to work ... This should not be an issue with container names. ... will definetely run into interference because this file is created under ... > Should I be using a different key container name? ... > same algorithm (like AES or DES)? ... (microsoft.public.platformsdk.security) Re: Key container - removeing entries? ... > Key Container when Preivate key in CSP is selected. ... Two of those containers will belong to your EFS support. ... a key associated with your EFS cert, ... (microsoft.public.platformsdk.security) Re: Multiple Personal Certificates ... how would the key container be named? ... Most applications rely on the default random naming ... >> If a user has multiple personal certificates, ... (microsoft.public.platformsdk.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.platformsdk.security  > 2004-09