Skip to content

Correctly set the machine store flag when requested #802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Aug 6, 2025
Merged

Correctly set the machine store flag when requested #802

merged 4 commits into from
Aug 6, 2025

Conversation

areed
Copy link
Contributor

@areed areed commented Jul 11, 2025
edited
Loading

Fix the NCRYPT_MACHINE_KEY_FLAG constant and use it in calls for key operations when the machine store is specified in the uri. Validate the store arg is compatible with the provider.

Pain or issue this feature alleviates:

step-kms-plugin create capi:store-location=machine;key=a1 --kty EC --crv P-521
Error: failed to create key: unable to set key NCRYPT_KEY_TYPE_PROPERTY: NCryptSetProperty Key Type invalid value type int

Why is this important to the project (if not answered above):

Creating a key in the machine store fails. Getting or deleting a key from the machine store silently gets or deletes the key of the same name in the user store.

In what environments or workflows is this feature supported?

Windows

💔Thank you!

areed
areed commented Jul 11, 2025
View reviewed changes
kms/capi/ncrypt_windows.go
@@ -33,7 +33,7 @@ const (
NCRYPT_PCP_USAGE_AUTH_PROPERTY = "PCP_USAGEAUTH"

// Key Storage Flags
NCRYPT_MACHINE_KEY_FLAG = 0x00000001
NCRYPT_MACHINE_KEY_FLAG = 0x00000020
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://learn.microsoft.com/en-us/windows/win32/seccng/key-storage-property-identifiers#ncrypt_key_type_property

@areed areed requested a review from maraino July 15, 2025 14:34
maraino
maraino requested changes Jul 21, 2025
View reviewed changes
kms/capi/capi.go Outdated
Comment on lines 50 to 52
SoftwareProvider = "Microsoft Software Key Storage Provider"
SmartCardProvider = "Microsoft Smart Card Key Storage Provider"
PlatformProvider = "Microsoft Platform Crypto Provider"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ncrypt_windows.go provides the same constants with a different name, perhaps we want to use those instead of creating new ones. We should also use a constant on New() to set the default provider.

Copy link
Contributor Author

@areed areed Jul 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2fe35c1

@areed areed force-pushed the areed/fix-capi-key-store branch 2 times, most recently from 18cbf69 to ab01b7b Compare July 21, 2025 19:20
@areed areed requested a review from maraino July 21, 2025 19:42
@areed areed enabled auto-merge (squash) July 21, 2025 19:43
areed added 3 commits August 4, 2025 08:19
@areed
Correctly set the machine store flag when requested
84b11b2 
Fix the NCRYPT_MACHINE_KEY_FLAG constant and use it in calls for key
operations when the machine store is specified in the uri.
@areed
Validate store is compatible with provider
e627ebb
@areed
Remove duplicate constants
2fe35c1
@areed areed force-pushed the areed/fix-capi-key-store branch from ab01b7b to 2fe35c1 Compare August 4, 2025 13:19
@areed areed merged commit c93cd91 into master Aug 6, 2025
12 checks passed
@areed areed deleted the areed/fix-capi-key-store branch August 6, 2025 19:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maraino maraino maraino approved these changes

Assignees
No one assigned
Labels
needs triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@areed @maraino