Added support for loading certificates and private key pairs from PKCS #12 files, as well as loading certificates (without private key) from PEM or DER files. Some code restructuring and cleanup.

NetSSL_Win/include/Poco/Net/AutoSecBufferDesc.h

@@ -1,9 +1,9 @@
 //
 // AutoSecBufferDesc.h
 //
-// $Id: //poco/1.4/NetSSL_Schannel/include/Poco/Net/AutoSecBufferDesc.h#1 $
+// $Id$
 //
-// Library: NetSSL_Schannel
+// Library: NetSSL_Win
 // Package: SSLCore
 // Module:  AutoSecBufferDesc
 //

NetSSL_Win/include/Poco/Net/CertificateHandlerFactory.h

@@ -1,7 +1,7 @@
 //
 // CertificateHandlerFactory.h
 //
-// $Id: //poco/1.4/NetSSL_Win/include/Poco/Net/CertificateHandlerFactory.h#1 $
+// $Id$
 //
 // Library: NetSSL_Win
 // Package: SSLCore

NetSSL_Win/include/Poco/Net/Context.h

@@ -1,9 +1,9 @@
 //
 // Context.h
 //
-// $Id: //poco/1.4/NetSSL_Schannel/include/Poco/Net/Context.h#1 $
+// $Id$
 //
-// Library: NetSSL_Schannel
+// Library: NetSSL_Win
 // Package: SSLCore
 // Module:  Context
 //
@@ -29,6 +29,11 @@
 #include <windows.h>
 #include <wincrypt.h>
 #include <schannel.h>
+#ifndef SECURITY_WIN32
+#define SECURITY_WIN32
+#endif
+#include <security.h>
+#include <sspi.h>
 
 
 namespace Poco {
@@ -108,11 +113,14 @@ public:
 		OPT_USE_STRONG_CRYPTO           = 0x08,
 			/// Disable known weak cryptographic algorithms, cipher suites, and 
 			/// SSL/TLS protocol versions that may be otherwise enabled for better interoperability. 
+		OPT_LOAD_CERT_FROM_FILE         = 0x10,
+			/// Load certificate and private key from a PKCS #12 (.pfx) file, 
+			/// and not from the certificate store.
 		OPT_DEFAULTS                    = OPT_PERFORM_REVOCATION_CHECK | OPT_TRUST_ROOTS_WIN_CERT_STORE | OPT_USE_STRONG_CRYPTO
 	};
 
 	Context(Usage usage,
-		const std::string& certificateName, 
+		const std::string& certificateNameOrPath, 
 		VerificationMode verMode = VERIFY_RELAXED,
 		int options = OPT_DEFAULTS,
 		const std::string& certificateStoreName = CERT_STORE_MY);
@@ -120,16 +128,21 @@ public:
 			/// 
 			///   * usage specifies whether the context is used by a client or server,
 			///     as well as which protocol to use.
-			///   * certificateName specifies the subject name of the certificate to use.
+			///   * certificateNameOrPath specifies either the subject name of the certificate to use,
+			///     or the path of a PKCS #12 file containing the certificate and corresponding private key.
+			///     If a subject name is specified, the certificate must be located in the certificate 
+			///     store specified by certificateStoreName. If a path is given, the OPT_LOAD_CERT_FROM_FILE
+			///     option must be set.
+			///   * verificationMode specifies whether and how peer certificates are validated.
 			///   * options is a combination of Option flags.
 			///   * certificateStoreName specifies the name of the Windows certificate store
-			///   * to use for loading the certificate. You can use predefined constants
-			///     CERT_STORE_MY, CERT_STORE_ROOT, etc.
-			///   * verificationMode specifies whether and how peer certificates are validated.
+			///     to use for loading the certificate. Predefined constants
+			///     CERT_STORE_MY, CERT_STORE_ROOT, etc. can be used.
 			///
-			/// Note: If the private key is protected by a passphrase, a PrivateKeyPassphraseHandler
-			/// must have been setup with the SSLManager, or the SSLManager's PrivateKeyPassphraseRequired
-			/// event must be handled.
+			/// Note: you can use OpenSSL to convert a certificate and private key in PEM format
+			/// into PKCS #12 format required to import into the Context:
+			///
+			///     openssl pkcs12 -export -inkey cert.key -in cert.crt -out cert.pfx 
 
 	~Context();
 		/// Destroys the Context.
@@ -150,37 +163,55 @@ public:
 	int options() const;
 		/// Returns the options flags.
 
-	const std::string& certificateName() const;
-		/// Returns the name of the certificate to use.
-
-	const std::string& certificateStoreName() const;
-		/// Returns the name of the certificate store to use.
-
 	void addTrustedCert(const Poco::Net::X509Certificate& cert);
 		/// Adds the certificate to the trusted certs. Takes ownership of pCert.
 
+	Poco::Net::X509Certificate certificate();
+		/// Loads or imports and returns the certificate specified in the constructor.
+		///
+		/// Throws a NoCertificateException if the certificate cannot
+		/// be found or no certificate name has been provided in the constructor.
+		///
+		/// May also throw a filesystem-related exception if the certificate file
+		/// cannot be found.
+
 	HCERTSTORE certificateStore() const;
 		/// Returns a handle to the certificate store.
 
+	CredHandle& credentials();
+		/// Returns a reference to the Schannel credentials for this Context.
+
 	static const std::string CERT_STORE_MY;
 	static const std::string CERT_STORE_ROOT;
 	static const std::string CERT_STORE_TRUST;
 	static const std::string CERT_STORE_CA;
 	static const std::string CERT_STORE_USERDS;
 
+protected:
+	void init();
+	void loadCertificate();
+	void importCertificate();
+	void importCertificate(const char* pBuffer, std::size_t size);
+	void acquireSchannelCredentials(CredHandle& credHandle) const;
+	DWORD proto() const;
+
 private:
 	Context(const Context&);
-	Context& operator=(const Context&);
+	Context& operator = (const Context&);
 
 	Usage                      _usage;
 	Context::VerificationMode  _mode;
 	int                        _options;
-	std::string                _certificateName;
-	std::string                _certificateStoreName;
+	std::string                _certNameOrPath;
+	std::string                _certStoreName;
 	HCERTSTORE                 _hMemCertStore;
 	HCERTSTORE                 _hCollectionCertStore;
 	HCERTSTORE                 _hRootCertStore;
-	Poco::FastMutex            _mutex;
+	HCERTSTORE                 _hCertStore;
+	PCCERT_CONTEXT             _pCert;
+	CredHandle                 _hCreds;
+	SecurityFunctionTableW&    _securityFunctions;
+	mutable Poco::FastMutex    _mutex;
 };
 
 
@@ -220,18 +251,6 @@ inline bool Context::sessionCacheEnabled() const
 }
 
 
-inline const std::string& Context::certificateName() const
-{
-	return _certificateName;
-}
-
-
-inline const std::string& Context::certificateStoreName() const
-{
-	return _certificateStoreName;
-}
-
-
 inline HCERTSTORE Context::certificateStore() const
 {
 	return _hCollectionCertStore;

NetSSL_Win/include/Poco/Net/InvalidCertificateHandler.h

@@ -1,7 +1,7 @@
 //
 // InvalidCertificateHandler.h
 //
-// $Id: //poco/1.4/NetSSL_Win/include/Poco/Net/InvalidCertificateHandler.h#1 $
+// $Id$
 //
 // Library: NetSSL_Win
 // Package: SSLCore

NetSSL_Win/include/Poco/Net/KeyConsoleHandler.h

@@ -0,0 +1,49 @@
+//
+// KeyConsoleHandler.h
+//
+// $Id$
+//
+// Library: NetSSL_Win
+// Package: SSLCore
+// Module:  KeyConsoleHandler
+//
+// Definition of the KeyConsoleHandler class.
+//
+// Copyright (c) 2006-2014, Applied Informatics Software Engineering GmbH.
+// and Contributors.
+//
+// SPDX-License-Identifier:	BSL-1.0
+//
+
+
+#ifndef NetSSL_KeyConsoleHandler_INCLUDED
+#define NetSSL_KeyConsoleHandler_INCLUDED
+
+
+#include "Poco/Net/NetSSL.h"
+#include "Poco/Net/PrivateKeyPassphraseHandler.h"
+
+
+namespace Poco {
+namespace Net {
+
+
+class NetSSL_Win_API KeyConsoleHandler: public PrivateKeyPassphraseHandler
+	/// An implementation of PrivateKeyPassphraseHandler that
+	/// reads the key for a certificate from the console.
+{
+public:
+	KeyConsoleHandler(bool server);
+		/// Creates the KeyConsoleHandler.
+
+	~KeyConsoleHandler();
+		/// Destroys the KeyConsoleHandler.
+
+	void onPrivateKeyRequested(const void* pSender, std::string& privateKey);
+};
+
+
+} } // namespace Poco::Net
+
+
+#endif // NetSSL_KeyConsoleHandler_INCLUDED

NetSSL_Win/include/Poco/Net/KeyFileHandler.h

@@ -0,0 +1,53 @@
+//
+// KeyFileHandler.h
+//
+// $Id$
+//
+// Library: NetSSL_Win
+// Package: SSLCore
+// Module:  KeyFileHandler
+//
+// Definition of the KeyFileHandler class.
+//
+// Copyright (c) 2006-2014, Applied Informatics Software Engineering GmbH.
+// and Contributors.
+//
+// SPDX-License-Identifier:	BSL-1.0
+//
+
+
+#ifndef NetSSL_KeyFileHandler_INCLUDED
+#define NetSSL_KeyFileHandler_INCLUDED
+
+
+#include "Poco/Net/NetSSL.h"
+#include "Poco/Net/PrivateKeyPassphraseHandler.h"
+
+
+namespace Poco {
+namespace Net {
+
+
+class NetSSL_Win_API KeyFileHandler: public PrivateKeyPassphraseHandler
+	/// An implementation of PrivateKeyPassphraseHandler that 
+	/// reads the key for a certificate from a configuration file
+	/// under the path "openSSL.privateKeyPassphraseHandler.options.password".
+{
+public:
+	KeyFileHandler(bool server);
+		/// Creates the KeyFileHandler.
+
+	virtual ~KeyFileHandler();
+		/// Destroys the KeyFileHandler.
+
+	void onPrivateKeyRequested(const void* pSender, std::string& privateKey);
+
+private:
+	static const std::string CFG_PRIV_KEY_FILE;
+};
+
+
+} } // namespace Poco::Net
+
+
+#endif // NetSSL_KeyFileHandler_INCLUDED

NetSSL_Win/include/Poco/Net/PrivateKeyFactory.h

@@ -0,0 +1,97 @@
+//
+// PrivateKeyFactory.h
+//
+// $Id$
+//
+// Library: NetSSL_Win
+// Package: SSLCore
+// Module:  PrivateKeyFactory
+//
+// Definition of the PrivateKeyFactory class.
+//
+// Copyright (c) 2006-214, Applied Informatics Software Engineering GmbH.
+// and Contributors.
+//
+// SPDX-License-Identifier:	BSL-1.0
+//
+
+
+#ifndef NetSSL_PrivateKeyFactory_INCLUDED
+#define NetSSL_PrivateKeyFactory_INCLUDED
+
+
+#include "Poco/Net/NetSSL.h"
+
+
+namespace Poco {
+namespace Net {
+
+
+class PrivateKeyPassphraseHandler;
+
+
+class NetSSL_Win_API PrivateKeyFactory
+	/// A PrivateKeyFactory is responsible for creating PrivateKeyPassphraseHandlers.
+	///
+	/// You don't need to access this class directly. Use the macro
+	///     POCO_REGISTER_KEYFACTORY(namespace, PrivateKeyPassphraseHandlerName) 
+	/// instead (see the documentation of PrivateKeyPassphraseHandler for an example).
+{
+public:
+	PrivateKeyFactory();
+		/// Creates the PrivateKeyFactory.
+
+	virtual ~PrivateKeyFactory();
+		/// Destroys the PrivateKeyFactory.
+
+	virtual PrivateKeyPassphraseHandler* create(bool onServer) const = 0;
+		/// Creates a new PrivateKeyPassphraseHandler
+};
+
+
+class NetSSL_Win_API PrivateKeyFactoryRegistrar
+	/// Registrar class which automatically registers PrivateKeyFactories at the PrivateKeyFactoryMgr.
+	///
+	/// You don't need to access this class directly. Use the macro
+	///     POCO_REGISTER_KEYFACTORY(namespace, PrivateKeyPassphraseHandlerName) 
+	/// instead (see the documentation of PrivateKeyPassphraseHandler for an example).
+
+{
+public:
+	PrivateKeyFactoryRegistrar(const std::string& name, PrivateKeyFactory* pFactory);
+		/// Registers the PrivateKeyFactory with the given name at the factory manager.
+
+	virtual ~PrivateKeyFactoryRegistrar();
+		/// Destroys the PrivateKeyFactoryRegistrar.
+};
+
+
+template<typename T>
+class PrivateKeyFactoryImpl: public Poco::Net::PrivateKeyFactory
+{
+public:
+	PrivateKeyFactoryImpl()
+	{
+	}
+
+	~PrivateKeyFactoryImpl()
+	{
+	}
+
+	PrivateKeyPassphraseHandler* create(bool server) const
+	{
+		return new T(server);
+	}
+};
+
+
+} } // namespace Poco::Net
+
+
+// DEPRECATED: register the factory directly at the FactoryMgr:
+// Poco::Net::SSLManager::instance().privateKeyFactoryMgr().setFactory(name, new Poco::Net::PrivateKeyFactoryImpl<MyKeyHandler>());
+#define POCO_REGISTER_KEYFACTORY(API, PKCLS)	\
+	static Poco::Net::PrivateKeyFactoryRegistrar aRegistrar(std::string(#PKCLS), new Poco::Net::PrivateKeyFactoryImpl<PKCLS>());
+
+
+#endif // NetSSL_PrivateKeyFactory_INCLUDED

NetSSL_Win/include/Poco/Net/PrivateKeyFactoryMgr.h

@@ -0,0 +1,66 @@
+//
+// PrivateKeyFactoryMgr.h
+//
+// $Id$
+//
+// Library: NetSSL_Win
+// Package: SSLCore
+// Module:  PrivateKeyFactoryMgr
+//
+// Definition of the PrivateKeyFactoryMgr class.
+//
+// Copyright (c) 2006-2014, Applied Informatics Software Engineering GmbH.
+// and Contributors.
+//
+// SPDX-License-Identifier:	BSL-1.0
+//
+
+
+#ifndef NetSSL_PrivateKeyFactoryMgr_INCLUDED
+#define NetSSL_PrivateKeyFactoryMgr_INCLUDED
+
+
+#include "Poco/Net/NetSSL.h"
+#include "Poco/Net/PrivateKeyFactory.h"
+#include "Poco/SharedPtr.h"
+#include <map>
+
+
+namespace Poco {
+namespace Net {
+
+
+class NetSSL_Win_API PrivateKeyFactoryMgr
+	/// A PrivateKeyFactoryMgr manages all existing PrivateKeyFactories.
+{
+public:
+	typedef std::map<std::string, Poco::SharedPtr<PrivateKeyFactory> > FactoriesMap;
+	
+	PrivateKeyFactoryMgr();
+		/// Creates the PrivateKeyFactoryMgr.
+
+	~PrivateKeyFactoryMgr();
+		/// Destroys the PrivateKeyFactoryMgr.
+
+	void setFactory(const std::string& name, PrivateKeyFactory* pFactory);
+		/// Registers the factory. Class takes ownership of the pointer.
+		/// If a factory with the same name already exists, an exception is thrown.
+
+	bool hasFactory(const std::string& name) const;
+		/// Returns true if for the given name a factory is already registered
+	
+	const PrivateKeyFactory* getFactory(const std::string& name) const;
+		/// Returns NULL if for the given name a factory does not exist, otherwise the factory is returned
+
+	void removeFactory(const std::string& name);
+		/// Removes the factory from the manager. 
+
+private:
+	FactoriesMap _factories;
+};
+
+
+} } // namespace Poco::Net
+
+
+#endif // NetSSL_PrivateKeyFactoryMgr_INCLUDED

NetSSL_Win/include/Poco/Net/PrivateKeyPassphraseHandler.h

@@ -0,0 +1,86 @@
+//
+// PrivateKeyPassphraseHandler.h
+//
+// $Id$
+//
+// Library: NetSSL_Win
+// Package: SSLCore
+// Module:  PrivateKeyPassphraseHandler
+//
+// Definition of the PrivateKeyPassphraseHandler class.
+//
+// Copyright (c) 2006-2014, Applied Informatics Software Engineering GmbH.
+// and Contributors.
+//
+// SPDX-License-Identifier:	BSL-1.0
+//
+
+
+#ifndef NetSSL_PrivateKeyPassphraseHandler_INCLUDED
+#define NetSSL_PrivateKeyPassphraseHandler_INCLUDED
+
+
+#include "Poco/Net/NetSSL.h"
+
+
+namespace Poco {
+namespace Net {
+
+
+class NetSSL_Win_API PrivateKeyPassphraseHandler
+	/// A passphrase handler is needed whenever the private key of a certificate is loaded and the certificate is protected
+	/// by a passphrase. The PrivateKeyPassphraseHandler's task is to provide that passphrase.
+	/// One can install one's own PrivateKeyPassphraseHandler by implementing this interface. Note that
+	/// in the implementation file of the subclass the following code must be present (assuming you use the namespace My_API 
+	/// and the name of your handler class is MyGuiHandler):
+	///    
+	///    #include "Poco/Net/PrivateKeyFactory.h"
+	///    ...
+	///    POCO_REGISTER_KEYFACTORY(My_API, MyGuiHandler)
+	///
+	/// One can either set the handler directly in the startup code of the main method of ones application by calling
+	///
+	///    SSLManager::instance().initialize(myguiHandler, myInvalidCertificateHandler, mySSLContext)
+	///
+	/// or in case one's application extends Poco::Util::Application one can use an XML configuration and put the following entry
+	/// under the path openSSL.privateKeyPassphraseHandler:
+	///    
+	///    <privateKeyPassphraseHandler>
+	///        <name>MyGuiHandler</name>
+	///        <options>
+	///            [...] // Put optional config params for the handler here
+	///        </options>
+	///    </privateKeyPassphraseHandler>
+	///
+	/// Note that the name of the passphrase handler must be same as the one provided to the POCO_REGISTER_KEYFACTORY macro.
+{
+public:
+	PrivateKeyPassphraseHandler(bool onServerSide);
+		/// Creates the PrivateKeyPassphraseHandler. Automatically registers at the SSLManager::PrivateKeyPassword event.
+
+	virtual ~PrivateKeyPassphraseHandler();
+		/// Destroys the PrivateKeyPassphraseHandler.
+
+	virtual void onPrivateKeyRequested(const void* pSender, std::string& privateKey) = 0;
+		/// Returns the requested private key in the parameter privateKey.
+
+	bool serverSide() const;
+
+private:
+	bool _serverSide;
+};
+
+
+//
+// inlines
+//
+inline bool PrivateKeyPassphraseHandler::serverSide() const
+{
+	return _serverSide;
+}
+
+
+} } // namespace Poco::Net
+
+
+#endif // NetSSL_PrivateKeyPassphraseHandler_INCLUDED

NetSSL_Win/include/Poco/Net/SSLException.h

@@ -1,7 +1,7 @@
 //
 // SSLException.h
 //
-// $Id: //poco/1.4/NetSSL_Win/include/Poco/Net/SSLException.h#1 $
+// $Id$
 //
 // Library: NetSSL_Win
 // Package: SSLCore
@@ -30,8 +30,10 @@ namespace Net {
 
 POCO_DECLARE_EXCEPTION(NetSSL_Win_API, SSLException, NetException)
 POCO_DECLARE_EXCEPTION(NetSSL_Win_API, SSLContextException, SSLException)
-POCO_DECLARE_EXCEPTION(NetSSL_Win_API, InvalidCertificateException, SSLException)
-POCO_DECLARE_EXCEPTION(NetSSL_Win_API, CertificateValidationException, SSLException)
+POCO_DECLARE_EXCEPTION(NetSSL_Win_API, CertificateException, SSLException)
+POCO_DECLARE_EXCEPTION(NetSSL_Win_API, NoCertificateException, CertificateException)
+POCO_DECLARE_EXCEPTION(NetSSL_Win_API, InvalidCertificateException, CertificateException)
+POCO_DECLARE_EXCEPTION(NetSSL_Win_API, CertificateValidationException, CertificateException)
 POCO_DECLARE_EXCEPTION(NetSSL_Win_API, SSLConnectionUnexpectedlyClosedException, SSLException)
 
 

NetSSL_Win/include/Poco/Net/SSLManager.h

@@ -1,9 +1,9 @@
 //
 // SSLManager.h
 //
-// $Id: //poco/1.4/NetSSL_Schannel/include/Poco/Net/SSLManager.h#1 $
+// $Id$
 //
-// Library: NetSSL_Schannel
+// Library: NetSSL_Win
 // Package: SSLCore
 // Module:  SSLManager
 //
@@ -23,8 +23,10 @@
 #include "Poco/Net/NetSSL.h"
 #include "Poco/Net/VerificationErrorArgs.h"
 #include "Poco/Net/Context.h"
+#include "Poco/Net/PrivateKeyFactoryMgr.h"
 #include "Poco/Net/CertificateHandlerFactoryMgr.h"
 #include "Poco/Net/InvalidCertificateHandler.h"
+#include "Poco/Util/AbstractConfiguration.h"
 #include "Poco/BasicEvent.h"
 #include "Poco/SharedPtr.h"
 #include <wincrypt.h>
@@ -77,6 +79,12 @@ class NetSSL_Win_API SSLManager
 	///            <trustRoots>true|false</trustRoots>
 	///            <useMachineStore>true|false</useMachineStore>
 	///            <useStrongCrypto>true|false</useStrongCrypto>
+	///            <privateKeyPassphraseHandler>
+	///                <name>KeyFileHandler</name>
+	///                <options>
+	///                    <password>s3cr3t</password>
+	///                </options>
+	///            </privateKeyPassphraseHandler>
 	///            <invalidCertificateHandler>
 	///                 <name>ConsoleCertificateHandler</name>
 	///                 <options>
@@ -93,8 +101,9 @@ class NetSSL_Win_API SSLManager
 	/// be prefixed with openSSL.server or openSSL.client. Some properties are only supported
 	/// for servers.
 	/// 
-	///    - certificateName (string): The subject name of the certificate to use. The certificate myst
+	///    - certificateName (string): The subject name of the certificate to use. The certificate must
 	///      be available in the Windows user or machine certificate store.  
+	///    - certificatePath (string): The path of a certificate and private key file in PKCS #12 format.
 	///    - certificateStore (string): The certificate store location to use. 
 	///      Valid values are "MY", "Root", "Trust" or "CA". Defaults to "MY".
 	///    - verificationMode (string): Specifies whether and how peer certificates are validated (see
@@ -107,6 +116,9 @@ class NetSSL_Win_API SSLManager
 	///    - useStrongCrypto (boolean): Disable known weak cryptographic algorithms, cipher suites, and 
 	///      SSL/TLS protocol versions that may be otherwise enabled for better interoperability. 
 	///      Defaults to true.
+	///    - privateKeyPassphraseHandler.name (string): The name of the class (subclass of PrivateKeyPassphraseHandler)
+	///      used for obtaining the passphrase for accessing the private key.
+	///    - privateKeyPassphraseHandler.options.password (string): The password to be used by KeyFileHandler.
 	///    - invalidCertificateHandler.name: The name of the class (subclass of CertificateHandler)
 	///      used for confirming invalid certificates.
 	///    - requireTLSv1 (boolean): Require a TLSv1 connection. 
@@ -114,6 +126,7 @@ class NetSSL_Win_API SSLManager
 	///    - requireTLSv1_2 (boolean): Require a TLSv1.2 connection. Not supported on Windows Embedded Compact.
 {
 public:
+	typedef Poco::SharedPtr<PrivateKeyPassphraseHandler> PrivateKeyPassphraseHandlerPtr;
 	typedef Poco::SharedPtr<InvalidCertificateHandler> InvalidCertificateHandlerPtr;
 
 	Poco::BasicEvent<VerificationErrorArgs>  ServerVerificationError;
@@ -122,10 +135,14 @@ public:
 	Poco::BasicEvent<VerificationErrorArgs>  ClientVerificationError;
 		/// Fired whenever a certificate verification error is detected by the client during a handshake.
 
+	Poco::BasicEvent<std::string> PrivateKeyPassphraseRequired;
+		/// Fired when a encrypted certificate is loaded. Not setting the password
+		/// in the event parameter will result in a failure to load the certificate.
+
 	static SSLManager& instance();
 		/// Returns the instance of the SSLManager singleton.
 
-	void initializeServer(InvalidCertificateHandlerPtr& pCertificateHandler, Context::Ptr pContext);
+	void initializeServer(PrivateKeyPassphraseHandlerPtr ptrPassphraseHandler, InvalidCertificateHandlerPtr pCertificateHandler, Context::Ptr pContext);
 		/// Initializes the server side of the SSLManager with a default invalid certificate handler and a default context. If this method
 		/// is never called the SSLmanager will try to initialize its members from an application configuration.
 		///
@@ -140,7 +157,7 @@ public:
 		///     Context::Ptr pContext = new Context(Context::SERVER_USE, "mycert");
 		///     SSLManager::instance().initializeServer(pInvalidCertHandler, pContext);
 
-	void initializeClient(InvalidCertificateHandlerPtr& pCertificateHandler, Context::Ptr ptrContext);
+	void initializeClient(PrivateKeyPassphraseHandlerPtr ptrPassphraseHandler, InvalidCertificateHandlerPtr pCertificateHandler, Context::Ptr ptrContext);
 		/// Initializes the client side of the SSLManager with  a default invalid certificate handler and a default context. If this method
 		/// is never called the SSLmanager will try to initialize its members from an application configuration.
 		///
@@ -167,14 +184,26 @@ public:
 		/// Unless initializeClient() has been called, the first call to this method initializes the default Context
 		/// from the application configuration.
 
+	PrivateKeyPassphraseHandlerPtr serverPassphraseHandler();
+		/// Returns the configured passphrase handler of the server. If none is set, the method will create a default one
+		/// from an application configuration.
+
 	InvalidCertificateHandlerPtr serverCertificateHandler();
 		/// Returns an initialized certificate handler (used by the server to verify client cert) which determines how invalid certificates are treated.
 		/// If none is set, it will try to auto-initialize one from an application configuration.
 
+	PrivateKeyPassphraseHandlerPtr clientPassphraseHandler();
+		/// Returns the configured passphrase handler of the client. If none is set, the method will create a default one
+		/// from an application configuration.
+
 	InvalidCertificateHandlerPtr clientCertificateHandler();
 		/// Returns an initialized certificate handler (used by the client to verify server cert) which determines how invalid certificates are treated.
 		/// If none is set, it will try to auto-initialize one from an application configuration.
 
+	PrivateKeyFactoryMgr& privateKeyFactoryMgr();
+		/// Returns the private key factory manager which stores the 
+		/// factories for the different registered passphrase handlers for private keys.
+
 	CertificateHandlerFactoryMgr& certificateHandlerFactoryMgr();
 		/// Returns the CertificateHandlerFactoryMgr which stores the 
 		/// factories for the different registered certificate handlers.
@@ -207,6 +236,9 @@ private:
 	void initEvents(bool server);
 		/// Registers delegates at the events according to the configuration.
 
+	void initPassphraseHandler(bool server);
+		/// Inits the passphrase handler.
+
 	void initCertificateHandler(bool server);
 		/// Inits the certificate handler.
 
@@ -216,18 +248,29 @@ private:
 	void unloadSecurityLibrary();
 		/// Unloads the Windows security DLL.
 
+	static Poco::Util::AbstractConfiguration& appConfig();
+		/// Returns the application configuration.
+		///
+		/// Throws a InvalidStateException if not application instance
+		/// is available.
+
 	HMODULE _hSecurityModule;
 	SecurityFunctionTableW _securityFunctions;
 
+	PrivateKeyFactoryMgr           _factoryMgr;
 	CertificateHandlerFactoryMgr   _certHandlerFactoryMgr;
 	Context::Ptr                   _ptrDefaultServerContext;
+	PrivateKeyPassphraseHandlerPtr _ptrServerPassphraseHandler;
 	InvalidCertificateHandlerPtr   _ptrServerCertificateHandler;
 	Context::Ptr                   _ptrDefaultClientContext;
+	PrivateKeyPassphraseHandlerPtr _ptrClientPassphraseHandler;
 	InvalidCertificateHandlerPtr   _ptrClientCertificateHandler;
 	Poco::FastMutex _mutex;
 
 	static const std::string CFG_CERT_NAME;
 	static const std::string VAL_CERT_NAME;
+	static const std::string CFG_CERT_PATH;
+	static const std::string VAL_CERT_PATH;
 	static const std::string CFG_CERT_STORE;
 	static const std::string VAL_CERT_STORE;
 	static const std::string CFG_VER_MODE;
@@ -252,12 +295,19 @@ private:
 
 	friend class Poco::SingletonHolder<SSLManager>;
 	friend class SecureSocketImpl;
+	friend class Context;
 };
 
 
 //
 // inlines
 //
+inline PrivateKeyFactoryMgr& SSLManager::privateKeyFactoryMgr()
+{
+	return _factoryMgr;
+}
+
+
 inline CertificateHandlerFactoryMgr& SSLManager::certificateHandlerFactoryMgr()
 {
 	return _certHandlerFactoryMgr;

NetSSL_Win/include/Poco/Net/SecureSocketImpl.h

@@ -1,9 +1,9 @@
 //
 // SecureSocketImpl.h
 //
-// $Id: //poco/1.4/NetSSL_Schannel/include/Poco/Net/SecureSocketImpl.h#1 $
+// $Id$
 //
-// Library: NetSSL_Schannel
+// Library: NetSSL_Win
 // Package: SSLSockets
 // Module:  SecureSocketImpl
 //
@@ -194,8 +194,7 @@ protected:
 	bool loadSecurityLibrary();
 	void initClientContext();
 	void initServerContext();
-	PCCERT_CONTEXT loadCertificate(const std::string& certStore, const std::string& certName, bool useMachineStore, bool mustFindCertificate);
-	void acquireSchannelContext(Mode mode, PCCERT_CONTEXT pCertContext, CredHandle& outHandle);
+	PCCERT_CONTEXT loadCertificate(bool mustFindCertificate);
 	void initCommon();
 	void cleanup();
 	void performClientHandshake();
@@ -217,7 +216,6 @@ protected:
 	void stateConnected();
 	void acceptSSL();
 	void connectSSL(bool completeHandshake);
-	DWORD proto() const;
 	static int lastError();
 	void stateMachine();
 	void setState(State st);
@@ -232,7 +230,6 @@ private:
 	std::string    _peerHostName;
 	bool           _useMachineStore;
 	bool           _clientAuthRequired;
-	HCERTSTORE     _hCertificateStore;
 	PCCERT_CONTEXT _pServerCertificate;
 	PCCERT_CONTEXT _pPeerCertificate;
 

NetSSL_Win/include/Poco/Net/Utility.h

@@ -1,9 +1,9 @@
 //
 // Utility.h
 //
-// $Id: //poco/1.4/NetSSL_Schannel/include/Poco/Net/Utility.h#1 $
+// $Id$
 //
-// Library: NetSSL_Schannel
+// Library: NetSSL_Win
 // Package: SSLCore
 // Module:  Utility
 //

NetSSL_Win/include/Poco/Net/X509Certificate.h

@@ -1,7 +1,7 @@
 //
 // X509Certificate.h
 //
-// $Id: //poco/1.4/Crypto/include/Poco/Crypto/X509Certificate.h#2 $
+// $Id$
 //
 // Library: Crypto
 // Package: Certificate
@@ -47,13 +47,16 @@ public:
 		NID_ORGANIZATION_UNIT_NAME	
 	};
 	
-	explicit X509Certificate(std::istream& istr);
+	explicit X509Certificate(const std::string& certPath);
 		/// Creates the X509Certificate object by reading
-		/// a certificate in PEM format from a stream.
+		/// a certificate in PEM or DER format from a file.
 
-	explicit X509Certificate(const std::string& path);
-		/// Creates the X509Certificate object by reading
-		/// a certificate in PEM format from a file.
+	X509Certificate(const std::string& certName, const std::string& certStoreName, bool useMachineStore = false);
+		/// Creates the X509Certificate object by loading
+		/// a certificate from the specified certificate store.
+		///
+		/// If useSystemStore is true, the machine's certificate store is used,
+		/// otherwise the user's certificate store.
 
 	explicit X509Certificate(PCCERT_CONTEXT pCert);
 		/// Creates the X509Certificate from an existing
@@ -108,14 +111,6 @@ public:
 	Poco::DateTime expiresOn() const;
 		/// Returns the date and time the certificate expires.
 		
-	void save(std::ostream& stream) const;
-		/// Writes the certificate to the given stream.
-		/// The certificate is written in PEM format.
-
-	void save(const std::string& path) const;
-		/// Writes the certificate to the file given by path.
-		/// The certificate is written in PEM format.
-		
 	bool issuedBy(const X509Certificate& issuerCertificate) const;
 		/// Checks whether the certificate has been issued by
 		/// the issuer given by issuerCertificate. This can be
@@ -132,20 +127,18 @@ public:
 		/// Returns the underlying WinCrypt certificate.
 
 protected:
-	void load(std::istream& stream);
-		/// Loads the certificate from the given stream. The
-		/// certificate must be in PEM format.
-		
-	void load(const std::string& path);
-		/// Loads the certificate from the given file. The
-		/// certificate must be in PEM format.
-
 	void init();
 		/// Extracts issuer and subject name from the certificate.
 	
 	static void* nid2oid(NID nid);
 		/// Returns the OID for the given NID.
 
+	void loadCertificate(const std::string& certName, const std::string& certStoreName, bool useMachineStore);
+	void importCertificate(const std::string& certPath);
+	void importCertificate(const char* pBuffer, std::size_t size);
+	void importPEMCertificate(const char* pBuffer, std::size_t size);
+	void importDERCertificate(const char* pBuffer, std::size_t size);
+
 private:
 	enum
 	{