Skip to content

Delete CNG private keys when CleanupCredentials removes expired certs#1030

Open
darkfronza wants to merge 1 commit into
masterfrom
diego/eff-232-cng-key-containers-not-deleted-for-superseded-certs
Open

Delete CNG private keys when CleanupCredentials removes expired certs#1030
darkfronza wants to merge 1 commit into
masterfrom
diego/eff-232-cng-key-containers-not-deleted-for-superseded-certs

Conversation

@darkfronza
Copy link
Copy Markdown
Contributor

@darkfronza darkfronza commented May 18, 2026

CleanupCredentials previously deleted the certificate from the Windows store but left the paired CNG private key in the provider, accumulating orphan .PCPKSP blobs on disk as certificates were renewed.

  • Add a delete-key URI flag on CAPIKMS.DeleteCertificate. When set, the cert's CNG key is removed via nCryptDeleteKey before the cert context is deleted, so a partial failure leaves the cert in place for retry rather than orphaning the key.
  • Rewrite CAPIKMS.CleanupCredentials to walk the store directly and delete each expired cert together with its CNG key. Enumeration is restarted after every delete because CertDeleteCertificateFromStore frees the context the next find call would chain from.
  • TPMKMS.deleteCertificateFromWindowsCertificateStore now sets delete-key=true on its URI, since TPMKMS-managed certs have a 1:1 CNG key with no independent use.
  • Update TestKMS_CleanupCredentials_capi to assert that both the certificate and the CNG private key are removed.

EFF-232

Change-Type: feature
Release-Note: yes
Audience: developer
Impact: low
Breaking: false

@darkfronza @claude
Delete CNG private keys when CleanupCredentials removes expired certs
9788b30 
CleanupCredentials previously deleted the certificate from the Windows
store but left the paired CNG private key in the provider, accumulating
orphan .PCPKSP blobs on disk as certificates were renewed.

- Add a `delete-key` URI flag on CAPIKMS.DeleteCertificate. When set,
  the cert's CNG key is removed via nCryptDeleteKey before the cert
  context is deleted, so a partial failure leaves the cert in place
  for retry rather than orphaning the key.
- Rewrite CAPIKMS.CleanupCredentials to walk the store directly and
  delete each expired cert together with its CNG key. Enumeration is
  restarted after every delete because CertDeleteCertificateFromStore
  frees the context the next find call would chain from.
- TPMKMS.deleteCertificateFromWindowsCertificateStore now sets
  delete-key=true on its URI, since TPMKMS-managed certs have a 1:1
  CNG key with no independent use.
- Update TestKMS_CleanupCredentials_capi to assert that both the
  certificate and the CNG private key are removed.

EFF-232

Change-Type: feature
Release-Note: yes
Audience: developer
Impact: low
Breaking: false
Co-Authored-By: Claude <noreply@anthropic.com>
maraino
maraino reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@maraino maraino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Capi already supports the DeleteKey method, why don't use just that in TPMKMS?

@darkfronza
Copy link
Copy Markdown
Contributor Author

darkfronza commented May 19, 2026

@maraino I think that the interface for the method is less clear in that internal context for deleting the certificate and associated key, so using cryptFindCertificatePrivateKey + nCryptDeleteKey sounds easier then building a *apiv1.DeleteKeyRequest out of the available data.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maraino maraino maraino left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

needs triage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@darkfronza @maraino @step-ci