CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 3 of 3
  1. #1
    Join Date
    Sep 2006
    Posts
    10

    CertOpenStore and non-admin users

    I'm writing some SSL code, and I've found that it can only open and use the necessary certificate if the current user has administrative privileges, and our client is adamant that this code must work for ordinary users (and they don't want to move the certificate).

    So,

    1. The certificate is installed in the personal store of CERT_SYSTEM_STORE_LOCAL_MACHINE. It has a private key.

    2. This line of code:
    CertOpenStore( CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_LOCAL_MACHINE, L"MY" );

    Works fine and dandy for Administrator, but for other users fails, and GetErrorCode returns 5 (ERROR_ACCESS_DENIED).

    3. I can get CertOpenStore to work for non-admin users by adding the flag CERT_OPEN_READONLY_FLAG. If I do that I can also apply the context and all that without problems.

    However, when I actually try to send an SSL message like this:

    WinHttpSendRequest( hRequest, WINHTTP_NO_ADDITIONAL_HEADERS, 0, NULL, 0, dwPostSize, NULL);

    It fails, and I get the generic error 12175 (ERROR_WINHTTP_SECURE_FAILURE).
    Note though, as Administrator, it makes no difference whether I use CERT_OPEN_READONLY_FLAG -- it always works fine.

    -------------------------

    Any help massively appreciated.

    As well as solutions, something that proves it is not possible for a non-admin to use this kind of certificate is equally helpful for me.

  2. #2
    Join Date
    Sep 2006
    Posts
    10

    Re: CertOpenStore and non-admin users

    OK, well, if anyone's following this thread because they have a similar problem, I haven't solved the problem but it really does seem that ordinary, non-admin users cannot use the CERT_SYSTEM_STORE_LOCAL_MACHINE store.

    Regular users only have read access to HKEY_LOCAL_MACHINE, but read-write to HKEY_CURRENT_USER (where the certificate system stores are actually located http://msdn.microsoft.com/en-us/libr...36(VS.85).aspx).
    Erm, and it looks like WinHttpSendRequest needs read-write access to the certificate store? That's the only explanation I can come up with for why WinHttpSendRequest fails even when I use the READONLY flag when opening the certificate.

    The 'solution' was just to move the certificate to HKEY_CURRENT_USER and change the code accordingly. Despite our client's objections that they really, really wanted the cert to be in HKEY_LOCAL_MACHINE, for no given reason.

  3. #3
    Join Date
    Jan 2013
    Posts
    1

    Re: CertOpenStore and non-admin users

    You don't have access to the local machine store as read and write but you can access it as readonly so you can add CERT_STORE_READONLY_FLAG to enable that so your code will look like this:

    CertOpenStore( CERT_STORE_PROV_SYSTEM, 0, NULL, CERT_SYSTEM_STORE_LOCAL_MACHINE|CERT_STORE_READONLY_FLAG , L"MY" );

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  





Click Here to Expand Forum to Full Width

Featured