<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>Thank you Valerie for looking into this!<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 16.08.2016 22:18, Valerie Peng
      wrote:<br>
    </div>
    <blockquote
      cite="mid:24339fa6-9f25-0863-6fff-3eca3d97e65b@oracle.com"
      type="cite">
      <meta content="text/html; charset=windows-1252"
        http-equiv="Content-Type">
      <p><br>
      </p>
      <p>I am not familiar with the general behavior of
        CryptAcquireCertificatePrivateKey API.<br>
      </p>
      Would the first CryptAcquireCertificatePrivateKey(.., <span
        class="changed">CRYPT_ACQUIRE_SILENT_FLAG, ...) ever return
        TRUE?<br>
      </span></blockquote>
    <br>
    Yes.  It returns TRUE if the key could be acquired silently, and
    I've seen this happening.<br>
    <br>
    <blockquote
      cite="mid:24339fa6-9f25-0863-6fff-3eca3d97e65b@oracle.com"
      type="cite"><span class="changed"> If yes, then do we need to
        release the context and call </span>CryptAcquireCertificatePrivateKey(..)
      again?<br>
      <br>
      I'd expect the overall logic to be something like:<br>
      <blockquote>
        <pre><span class="changed">if (::CryptAcquireCertificatePrivateKey(pCertContext, CRYPT_ACQUIRE_SILENT_FLAG, NULL,</span><span class="changed">
        &hCryptProv, &dwKeySpec, &bCallerFreeProv) == FALSE) {
    if (</span><span class="changed"><span class="changed">GetLastError() == NTE_SILENT_CONTEXT) {
        </span></span><span class="changed"><span class="changed"><span class="changed">// Try acquiring the key normally (not silently)</span><span class="changed">
        if (::CryptAcquireCertificatePrivateKey(pCertContext, 0, NULL,</span>
                <span class="changed">&hCryptProv, &dwKeySpec, &bCallerFreeProv) == FALSE)</span> <span class="changed">{</span></span></span><span class="changed"><span class="changed"><span class="changed"><span class="changed">
            bHasNoPrivateKey = TRUE;
</span></span>        }
    } else {
        </span></span><span class="changed"><span class="changed"><span class="changed">bHasNoPrivateKey = TRUE;
    }
</span></span>}

// Then proceed on different code paths based on </span><span class="changed"><span class="changed"><span class="changed">bHasNoPrivateKey value

</span></span></span></pre>
      </blockquote>
    </blockquote>
    This was the first thing I attempted to do.<br>
    However, some subsequent operations with the key started to fail,
    throwing SignatureException (with the message "Provider could not
    perform the action since the context was acquired as silent.")<br>
    <br>
    That's why I switched to what is in this proposal: Silent probing
    and then re-acquiring the key normally (not silently).<br>
    <br>
    With kind regards,<br>
    Ivan<br>
    <br>
    <blockquote
      cite="mid:24339fa6-9f25-0863-6fff-3eca3d97e65b@oracle.com"
      type="cite">
      <blockquote>
        <pre><span class="changed"><span class="changed"><span class="changed">
</span></span></span></pre>
      </blockquote>
      Anything that I missed?<br>
      Valerie<br>
      <br>
      <div class="moz-cite-prefix">On 8/16/2016 6:27 AM, Vincent Ryan
        wrote:<br>
      </div>
      <blockquote
        cite="mid:1A59DF96-4E31-4738-A70F-E499793879BF@oracle.com"
        type="cite">
        <pre wrap="">That fix looks fine. Is there any significant performance impact due to calling CryptAcquireCertificatePrivateKey twice?
Thanks.

</pre>
        <blockquote type="cite">
          <pre wrap="">On 16 Aug 2016, at 13:56, Ivan Gerasimov <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:ivan.gerasimov@oracle.com"><ivan.gerasimov@oracle.com></a> wrote:

A gentle reminder.

Would you please help review at your convenience.

With kind regards,
Ivan


On 09.08.2016 12:27, Ivan Gerasimov wrote:
</pre>
          <blockquote type="cite">
            <pre wrap="">Hello!

In order to reduce the number of popup dialog windows during accessing the smartcard, it is proposed to first do a silent "probe" step.
Only if this probe succeeded, or if it failed due to that SILENT flag, we'll try to re-acquire the key normally (i.e. not silently).

Would you please help review this proposal?

BUGURL: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://bugs.openjdk.java.net/browse/JDK-8153438">https://bugs.openjdk.java.net/browse/JDK-8153438</a>
WEBREV: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://cr.openjdk.java.net/%7Eigerasim/8153438/00/webrev/">http://cr.openjdk.java.net/~igerasim/8153438/00/webrev/</a>

With kind regards,
Ivan


</pre>
          </blockquote>
        </blockquote>
      </blockquote>
      <br>
    </blockquote>
    <br>
  </body>
</html>