1

An Active-X control that wraps the Windows Crypto API is sometimes returning an error of "The keyset is not defined". I have discussed this problem with the vendor of the Active-X control and they are as puzzled as well. They are using NULL as the provider which allows the Crypto API to make its own choice.

This Microsoft article, CryptAcquireContext() use and troubleshooting as well as some other bits and pieces of information indicates registration issues or Windows Registry issues.

My question is what are some of the reasons why this sometimes happen when most of the time we do not see this problem?

What kinds of procedures could we use to collect data leading to a root cause?

An actual suggested solution would be nice however some additional data collection for root cause analysis would be helpful.

The actual deployment environment is a set of tablet PCs which are using a cellular network for LAN access in a mobile environment. There are a set of these tablets which are set up and provisioned when being deployed for a trip. On end of trip, the tablets are put back into storage.

We have been unable to replicate this problem in the lab. Lab testing seems to work fine even when the environment is replicated to using the cellular LAN that is used in the field.

Edit 01.

One thing we have seen in the field is that once the problem is hit, it consistently happens during a short span of time as in over the course of half a minute. We know this because we have logs which show the Decrypt being done for a series of records which are being processed and on each error we skip to the next record which again gives us a Decrypt error. If there are say 30 records to be processed, we will see 30 logs, one for each record, with the same error.

We are looking at the following and once I have additional information I will update this question:

  • stopping processing at the first failure in order to allow for a reboot and retry

  • auditing tablet tracking to determine if it is only particular tablets

I am currently working my way through the various links of Window C/C++ Crypto API Examples and tips and one thing that may be helpful in gathering data is to enumerate through the list of providers when the application starts up to generate a list of those.

Edit 02

The vendor has provided the usage of the CryptAcquireContext() function being used. It is being compiled with UNICODE turned off so the LPCTSTR is standard char string and not wchar_t string.

if(!::CryptAcquireContext(&m_hCryptProv,NULL,MS_ENHANCED_PROV,PROV_RSA_FULL,CRYPT_VERIFYCONTEXT))
{
    m_strLastError = LookupSystemError(::GetLastError() );
    DestroySession();
    return false;
}
Community
  • 1
  • 1
Richard Chambers
  • 16,643
  • 4
  • 81
  • 106
  • 2
    To analyze the issue, capture the system state when the error happens (e.g. by writing a minidump, calling [MiniDumpWriteDump](https://msdn.microsoft.com/en-us/library/windows/desktop/ms680360.aspx)). This may give you some insight, although it may be too late at that point already. – IInspectable Sep 17 '15 at 15:28
  • 1
    If you go @IInspectable's route you probably want to ask the vendor for debugging symbols for their control, if you don't have them already. If for no other reason than being able to figure out whether it's the vendor's problem or your problem. Another possible route would be to make the same sequence of API calls yourself on failure to either include or exclude the vendor's control. Although if the issue is transient, then the calls may fail due to some underlying root cause. – theB Sep 17 '15 at 16:20
  • @IInspectable, thank you for the suggestion. Interesting to read what is available with MiniDump though I am not sure this will help me. There seems to be some kind of application environment issue that is causing the Windows Crypto API to sometimes fail. If I had a dump, I am not sure what I would look for or if what I need to know was actually captured by the dump. – Richard Chambers Sep 17 '15 at 16:20
  • @theB, thank you for the suggestion. I had not thought of that and it might actually provide some additional information. I did update my posted question with some additional data about processing multiple records and seeing a failure on each. – Richard Chambers Sep 17 '15 at 16:32

0 Answers0