<html>

  <head>

    <meta content="text/html; charset=windows-1252"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <p>Thank you Valerie for looking into this!<br>

    </p>

    <br>

    <div class="moz-cite-prefix">On 16.08.2016 22:18, Valerie Peng

      wrote:<br>

    </div>

    <blockquote

      cite="mid:24339fa6-9f25-0863-6fff-3eca3d97e65b@oracle.com"

      type="cite">

      <meta content="text/html; charset=windows-1252"

        http-equiv="Content-Type">

      <p><br>

      </p>

      <p>I am not familiar with the general behavior of

        CryptAcquireCertificatePrivateKey API.<br>

      </p>

      Would the first CryptAcquireCertificatePrivateKey(.., <span

        class="changed">CRYPT_ACQUIRE_SILENT_FLAG, ...) ever return

        TRUE?<br>

      </span></blockquote>

    <br>

    Yes.  It returns TRUE if the key could be acquired silently, and

    I've seen this happening.<br>

    <br>

    <blockquote

      cite="mid:24339fa6-9f25-0863-6fff-3eca3d97e65b@oracle.com"

      type="cite"><span class="changed"> If yes, then do we need to

        release the context and call </span>CryptAcquireCertificatePrivateKey(..)

      again?<br>

      <br>

      I'd expect the overall logic to be something like:<br>

      <blockquote>

        <pre><span class="changed">if (::CryptAcquireCertificatePrivateKey(pCertContext, CRYPT_ACQUIRE_SILENT_FLAG, NULL,</span><span class="changed">

        &hCryptProv, &dwKeySpec, &bCallerFreeProv) == FALSE) {

    if (</span><span class="changed"><span class="changed">GetLastError() == NTE_SILENT_CONTEXT) {

        </span></span><span class="changed"><span class="changed"><span class="changed">// Try acquiring the key normally (not silently)</span><span class="changed">

        if (::CryptAcquireCertificatePrivateKey(pCertContext, 0, NULL,</span>

                <span class="changed">&hCryptProv, &dwKeySpec, &bCallerFreeProv) == FALSE)</span> <span class="changed">{</span></span></span><span class="changed"><span class="changed"><span class="changed"><span class="changed">

            bHasNoPrivateKey = TRUE;

</span></span>        }

    } else {

        </span></span><span class="changed"><span class="changed"><span class="changed">bHasNoPrivateKey = TRUE;

    }

</span></span>}

// Then proceed on different code paths based on </span><span class="changed"><span class="changed"><span class="changed">bHasNoPrivateKey value

</span></span></span></pre>

      </blockquote>

    </blockquote>

    This was the first thing I attempted to do.<br>

    However, some subsequent operations with the key started to fail,

    throwing SignatureException (with the message "Provider could not

    perform the action since the context was acquired as silent.")<br>

    <br>

    That's why I switched to what is in this proposal: Silent probing

    and then re-acquiring the key normally (not silently).<br>

    <br>

    With kind regards,<br>

    Ivan<br>

    <br>

    <blockquote

      cite="mid:24339fa6-9f25-0863-6fff-3eca3d97e65b@oracle.com"

      type="cite">

      <blockquote>

        <pre><span class="changed"><span class="changed"><span class="changed">

</span></span></span></pre>

      </blockquote>

      Anything that I missed?<br>

      Valerie<br>

      <br>

      <div class="moz-cite-prefix">On 8/16/2016 6:27 AM, Vincent Ryan

        wrote:<br>

      </div>

      <blockquote

        cite="mid:1A59DF96-4E31-4738-A70F-E499793879BF@oracle.com"

        type="cite">

        <pre wrap="">That fix looks fine. Is there any significant performance impact due to calling CryptAcquireCertificatePrivateKey twice?

Thanks.

</pre>

        <blockquote type="cite">

          <pre wrap="">On 16 Aug 2016, at 13:56, Ivan Gerasimov <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:ivan.gerasimov@oracle.com"><ivan.gerasimov@oracle.com></a> wrote:

A gentle reminder.

Would you please help review at your convenience.

With kind regards,

Ivan

On 09.08.2016 12:27, Ivan Gerasimov wrote:

</pre>

          <blockquote type="cite">

            <pre wrap="">Hello!

In order to reduce the number of popup dialog windows during accessing the smartcard, it is proposed to first do a silent "probe" step.

Only if this probe succeeded, or if it failed due to that SILENT flag, we'll try to re-acquire the key normally (i.e. not silently).

Would you please help review this proposal?

BUGURL: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://bugs.openjdk.java.net/browse/JDK-8153438">https://bugs.openjdk.java.net/browse/JDK-8153438</a>

WEBREV: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://cr.openjdk.java.net/%7Eigerasim/8153438/00/webrev/">http://cr.openjdk.java.net/~igerasim/8153438/00/webrev/</a>

With kind regards,

Ivan

</pre>

          </blockquote>

        </blockquote>

      </blockquote>

      <br>

    </blockquote>

    <br>

  </body>

</html>