10 files changed, 263 insertions, 169 deletions

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index ccc4eddfa1..5ce88f2662 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -390,6 +390,42 @@ MinGW64.DLLs:
       - win64-build/
   retry: 1
 
+MinGW64.Vista+:
+  stage: stage1-testing
+  image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD
+  script:
+  - ./bootstrap
+  - export CC="ccache x86_64-w64-mingw32-gcc"
+ # Target Vista instead of XP, currently the default in mingw
+  - export CPPFLAGS="-D_WIN32_WINT=0x600"
+  - export WINEPATH=/usr/x86_64-w64-mingw32/sys-root/mingw/bin
+  - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc
+  - echo ':DOSWin:M::MZ::/usr/bin/wine64:' > /proc/sys/fs/binfmt_misc/register
+  - mkdir -p build
+  - cd build
+  - dash ../configure --disable-gcc-warnings --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --cache-file ../cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-full-test-suite --disable-non-suiteb-curves --disable-doc
+  # generate the certtool autogen file to check whether later compilation will modify it
+  - mingw64-make -j$BUILDJOBS -C src certtool-args.c.bak
+  - mingw64-make -j$BUILDJOBS
+  - mingw64-make -j$CHECKJOBS -C tests check
+  - cd ..
+  # since we use --enable-local-libopts the generated files must equal the .bak
+  - cmp build/src/certtool-args.c build/src/certtool-args.c.bak || false
+  tags:
+  - shared
+  - docker
+  - linux
+  except:
+  - tags
+  artifacts:
+    expire_in: 1 week
+    when: on_failure
+    paths:
+      - build/*.log
+      - build/tests/*.log
+      - build/tests/*/*.log
+  retry: 1
+
 MinGW64:
   stage: stage1-testing
   image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD
diff --git a/configure.ac b/configure.ac
index bb32073be5..b8167f0928 100644
--- a/configure.ac
+++ b/configure.ac
@@ -111,6 +111,7 @@ AM_CONDITIONAL(ENABLE_CXX, test "$use_cxx" != "no")
 
 dnl Detect windows build
 use_accel=yes
+have_vista_dynamic=yes
 case "$host" in
   *android*)
     have_android=yes
@@ -119,6 +120,24 @@ case "$host" in
   *mingw32* | *mingw64*)
     have_win=yes
     AC_DEFINE([_UNICODE], [1], [Defined to 1 for Unicode (wide chars) APIs])
+    LIB_CRYPT32="-lcrypt32"
+    AC_SUBST([LIB_CRYPT32])
+    AC_PREPROC_IFELSE([AC_LANG_PROGRAM(
+      [[#include <windows.h>
+       #if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x0600
+       # error Vista APIs allowed statically
+       #endif
+      ]],[[;]])],[have_vista_dynamic=yes],[have_vista_dynamic=no])
+    AC_ARG_ENABLE(dyn_ncrypt,
+      AS_HELP_STRING([--enable-dyn-ncrypt], [use ncrypt dynamically]),
+      enable_dyn_ncrypt=$enableval, enable_dyn_ncrypt=$have_vista_dynamic
+    )
+    if test "x$enable_dyn_ncrypt" = "xyes"; then
+      AC_DEFINE([DYN_NCRYPT], 1, [Dynamic use of ncrypt API (win32)])
+    else
+      LIBNCRYPT="-lncrypt"
+    fi
+    AC_SUBST([LIBNCRYPT])
   ;;
   *darwin*)
     have_macosx=yes
diff --git a/doc/cha-internals.texi b/doc/cha-internals.texi
index 2a9bc1a45b..f188caecc9 100644
--- a/doc/cha-internals.texi
+++ b/doc/cha-internals.texi
@@ -667,15 +667,29 @@ is for the conformance to NIST's FIPS140-2 publication, which consists of polici
 for cryptographic modules (such as software libraries). Its implementation in
 GnuTLS is designed for Red Hat Enterprise Linux, and can only be enabled
 when the library is explicitly compiled with the '--enable-fips140-mode'
-configure option. The operation of the library is then modified, as follows.
+configure option.
+
+There are two distinct library states with regard to FIPS140-2: the FIPS140-2
+mode is @emph{installed} if @code{/etc/system-fips} is present, and the
+FIPS140-2 mode is @emph{enabled} if @code{/proc/sys/crypto/fips_enabled}
+contains '1', which is typically set with the ``fips=1'' kernel command line
+option.
+
+When the FIPS140-2 mode is installed, the operation of the library is modified
+as follows.
 
 @itemize
-@item FIPS140-2 mode is enabled when @code{/proc/sys/crypto/fips_enabled} contains '1' and @code{/etc/system-fips} is present.
-@item Only approved by FIPS140-2 algorithms are enabled
-@item Only approved by FIPS140-2 key lengths are allowed for key generation
 @item The random generator used switches to DRBG-AES
 @item The integrity of the GnuTLS and dependent libraries is checked on startup
 @item Algorithm self-tests are run on library load
+@end itemize
+
+When the FIPS140-2 mode is enabled, The operation of the library is in addition
+modified as follows.
+
+@itemize
+@item Only approved by FIPS140-2 algorithms are enabled
+@item Only approved by FIPS140-2 key lengths are allowed for key generation
 @item Any cryptographic operation will be refused if any of the self-tests failed
 @end itemize
 
diff --git a/lib/Makefile.am b/lib/Makefile.am
index eddd1167a7..f55f298f7b 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -151,7 +151,7 @@ libgnutls_la_LIBADD = ../gl/libgnu.la x509/libgnutls_x509.la \
 	auth/libgnutls_auth.la algorithms/libgnutls_alg.la \
 	extras/libgnutls_extras.la
 thirdparty_libadd = $(LTLIBZ) $(LTLIBINTL) $(LIBSOCKET) $(LTLIBNSL) \
-	$(P11_KIT_LIBS) $(LIB_SELECT)
+	$(P11_KIT_LIBS) $(LIB_SELECT) $(LIB_CRYPT32)
 
 if HAVE_LIBIDN2
 thirdparty_libadd += $(LIBIDN2_LIBS)
@@ -208,10 +208,6 @@ defexec_DATA = libgnutls-$(DLL_VERSION).def
 DISTCLEANFILES += $(defexec_DATA)
 endif
 
-if WINDOWS
-thirdparty_libadd += -lcrypt32
-endif
-
 if MACOSX
 libgnutls_la_LDFLAGS += -framework Security -framework CoreFoundation
 endif
diff --git a/lib/crypto-selftests.c b/lib/crypto-selftests.c
index f904b029b2..f915b6d744 100644
--- a/lib/crypto-selftests.c
+++ b/lib/crypto-selftests.c
@@ -1939,13 +1939,6 @@ static int test_mac(gnutls_mac_algorithm_t mac,
 					return ret; \
 			}
 
-#define FIPS_STARTUP_ONLY_TEST_CASE(x, func, vectors) case x: \
-			if (_gnutls_fips_mode_enabled() != 1) { \
-				ret = func(x, V(vectors), flags); \
-				if (!(flags & GNUTLS_SELF_TEST_FLAG_ALL) || ret < 0) \
-					return ret; \
-			}
-
 /*-
  * gnutls_cipher_self_test:
  * @flags: GNUTLS_SELF_TEST_FLAG flags
@@ -2075,7 +2068,7 @@ int gnutls_mac_self_test(unsigned flags, gnutls_mac_algorithm_t mac)
 
 	switch (mac) {
 	case GNUTLS_MAC_UNKNOWN:
-		FIPS_STARTUP_ONLY_TEST_CASE(GNUTLS_MAC_MD5, test_mac, hmac_md5_vectors);
+		NON_FIPS_CASE(GNUTLS_MAC_MD5, test_mac, hmac_md5_vectors);
 		FALLTHROUGH;
 		CASE(GNUTLS_MAC_SHA1, test_mac, hmac_sha1_vectors);
 		FALLTHROUGH;
@@ -2135,7 +2128,7 @@ int gnutls_digest_self_test(unsigned flags, gnutls_digest_algorithm_t digest)
 
 	switch (digest) {
 	case GNUTLS_DIG_UNKNOWN:
-		FIPS_STARTUP_ONLY_TEST_CASE(GNUTLS_DIG_MD5, test_digest, md5_vectors);
+		NON_FIPS_CASE(GNUTLS_DIG_MD5, test_digest, md5_vectors);
 		FALLTHROUGH;
 		CASE(GNUTLS_DIG_SHA1, test_digest, sha1_vectors);
 		FALLTHROUGH;
diff --git a/lib/fips.c b/lib/fips.c
index 0f0c34c1df..acdd2ec23e 100644
--- a/lib/fips.c
+++ b/lib/fips.c
@@ -102,14 +102,13 @@ unsigned _gnutls_fips_mode_enabled(void)
 		else f1p = 0;
 	}
 
-	f2p = !access(FIPS_SYSTEM_FILE, F_OK);
-
-	if (f1p != 0 && f2p != 0) {
+	if (f1p != 0) {
 		_gnutls_debug_log("FIPS140-2 mode enabled\n");
 		ret = GNUTLS_FIPS140_STRICT;
 		goto exit;
 	}
 
+	f2p = !access(FIPS_SYSTEM_FILE, F_OK);
 	if (f2p != 0) {
 		/* a funny state where self tests are performed
 		 * and ignored */
diff --git a/lib/gnutls.pc.in b/lib/gnutls.pc.in
index 4b6b5578f5..15d3ab057c 100644
--- a/lib/gnutls.pc.in
+++ b/lib/gnutls.pc.in
@@ -19,6 +19,6 @@ Description: Transport Security Layer implementation for the GNU system
 URL: https://www.gnutls.org/
 Version: @VERSION@
 Libs: -L${libdir} -lgnutls
-Libs.private: @LIBINTL@ @LIBSOCKET@ @INET_PTON_LIB@ @LIBPTHREAD@ @LIB_SELECT@ @TSS_LIBS@ @GMP_LIBS@ @LIBUNISTRING@ @LIBATOMIC_LIBS@
+Libs.private: @LIBINTL@ @LIBSOCKET@ @INET_PTON_LIB@ @LIBPTHREAD@ @LIB_SELECT@ @TSS_LIBS@ @GMP_LIBS@ @LIBUNISTRING@ @LIBATOMIC_LIBS@ @LIB_CRYPT32@ @LIBNCRYPT@
 @GNUTLS_REQUIRES_PRIVATE@
 Cflags: -I${includedir}
diff --git a/lib/random.c b/lib/random.c
index 6462738416..605fc8d51a 100644
--- a/lib/random.c
+++ b/lib/random.c
@@ -105,9 +105,9 @@ int _gnutls_rnd_preinit(void)
 
 #elif defined(ENABLE_FIPS140)
 	/* The FIPS140 random generator is only enabled when we are compiled
-	 * with FIPS support, _and_ the system requires FIPS140.
+	 * with FIPS support, _and_ the system is in FIPS installed state.
 	 */
-	if (_gnutls_fips_mode_enabled() == 1) {
+	if (_gnutls_fips_mode_enabled() != 0) {
 		ret = gnutls_crypto_rnd_register(100, &_gnutls_fips_rnd_ops);
 		if (ret < 0)
 			return ret;
diff --git a/lib/system/keys-win.c b/lib/system/keys-win.c
index 678a668e49..f9a4b1ca9e 100644
--- a/lib/system/keys-win.c
+++ b/lib/system/keys-win.c
@@ -26,6 +26,7 @@
 #define _WIN32_WINNT 0x600
 #endif
 
+#include <config.h>
 #include "gnutls_int.h"
 #include "errors.h"
 #include <gnutls/gnutls.h>
@@ -45,8 +46,6 @@
 #include <winbase.h>
 #include <winapifamily.h>
 
-#define DYN_NCRYPT
-
 #ifdef __MINGW32__
 # include <_mingw.h>
 # ifdef __MINGW64_VERSION_MAJOR
@@ -234,6 +233,7 @@ get_id(const char *url, uint8_t * bin, size_t * bin_size, unsigned cert)
 	return 0;
 }
 
+#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
 static
 void *memrev(unsigned char *pvData, DWORD cbData)
 {
@@ -437,6 +437,106 @@ static int capi_info(gnutls_privkey_t key, unsigned int flags, void *userdata)
 	return -1;
 }
 
+static 
+int privkey_import_capi(gnutls_privkey_t pkey, const char *url, 
+		priv_st *priv, CRYPT_KEY_PROV_INFO *kpi)
+{
+	HCRYPTPROV hCryptProv = NULL;
+	int ret, enc_too = 0;
+	DWORD i, dwErrCode = 0;
+
+	if (CryptAcquireContextW(&hCryptProv,
+					kpi->pwszContainerName,
+					kpi->pwszProvName,
+					kpi->dwProvType, kpi->dwFlags)) {
+		for (i = 0; i < kpi->cProvParam; i++)
+			if (!CryptSetProvParam(hCryptProv,
+							kpi->rgProvParam[i].
+							dwParam,
+							kpi->rgProvParam[i].
+							pbData,
+							kpi->rgProvParam[i].
+							dwFlags)) {
+				dwErrCode = GetLastError();
+				break;
+			};
+	} else {
+		dwErrCode = GetLastError();
+	}
+
+	if (ERROR_SUCCESS != dwErrCode) {
+		_gnutls_debug_log
+			("error in getting cryptprov: %d from %s\n",
+				(int)GetLastError(), url);
+		ret =
+			gnutls_assert_val
+			(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
+		goto cleanup;
+	}
+
+	{
+		BYTE buf[100 + sizeof(PROV_ENUMALGS_EX) * 2];
+		PROV_ENUMALGS_EX *pAlgo = (PROV_ENUMALGS_EX *) buf;
+		DWORD len = sizeof(buf);
+
+		if (CryptGetProvParam
+			(hCryptProv, PP_ENUMALGS_EX, buf, &len,
+				CRYPT_FIRST)) {
+			DWORD hash = 0;
+			do {
+				switch (pAlgo->aiAlgid) {
+				case CALG_RSA_SIGN:
+					priv->pk = GNUTLS_PK_RSA;
+					enc_too = 1;
+					break;
+				case CALG_DSS_SIGN:
+					priv->pk =
+						priv->pk ==
+						GNUTLS_PK_RSA ?
+						GNUTLS_PK_RSA :
+						GNUTLS_PK_DSA;
+					break;
+				case CALG_SHA1:
+					hash = 1;
+					break;
+				case CALG_SHA_256:
+					hash = 256;
+					break;
+				default:
+					break;
+				}
+
+				len = sizeof(buf);	// reset the buffer size
+			} while (CryptGetProvParam
+					(hCryptProv, PP_ENUMALGS_EX, buf, &len,
+					CRYPT_NEXT));
+
+			if (priv->pk == GNUTLS_PK_DSA)
+				priv->sign_algo = GNUTLS_SIGN_DSA_SHA1;
+			else
+				priv->sign_algo =
+					(hash >
+						1) ? GNUTLS_SIGN_RSA_SHA256 :
+					GNUTLS_SIGN_RSA_SHA1;
+		}
+	}
+
+	priv->hCryptProv = hCryptProv;
+	priv->dwKeySpec = kpi->dwKeySpec;
+
+	ret = gnutls_privkey_import_ext3(pkey, priv, capi_sign,
+						(enc_too !=
+						0) ? capi_decrypt : NULL,
+						capi_deinit, capi_info, 0);
+ cleanup:
+	if (ret < 0) {
+		if (hCryptProv != 0)
+			CryptReleaseContext(hCryptProv, 0);
+	}
+	return ret;
+}
+#endif /* WINAPI_PARTITION_DESKTOP */
+
 static
 int cng_sign(gnutls_privkey_t key, void *userdata,
 	     const gnutls_datum_t * raw_data, gnutls_datum_t * signature)
@@ -597,6 +697,70 @@ static int cng_info(gnutls_privkey_t key, unsigned int flags, void *userdata)
 	return -1;
 }
 
+static
+int privkey_import_ncrypt(gnutls_privkey_t pkey, const char *url, 
+		priv_st *priv, CRYPT_KEY_PROV_INFO *kpi, NCRYPT_PROV_HANDLE *sctx)
+{
+	SECURITY_STATUS r;
+	NCRYPT_KEY_HANDLE nc = NULL;
+	int ret, enc_too = 0;
+	WCHAR algo_str[64];
+	DWORD algo_str_size = 0;
+
+	r = pNCryptOpenKey(*sctx, &nc, kpi->pwszContainerName, 0, 0);
+	if (FAILED(r)) {
+		ret =
+			gnutls_assert_val
+			(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
+		goto cleanup;
+	}
+
+	r = pNCryptGetProperty(nc, NCRYPT_ALGORITHM_PROPERTY,
+					(BYTE *) algo_str, sizeof(algo_str),
+					&algo_str_size, 0);
+	if (FAILED(r)) {
+		ret =
+			gnutls_assert_val
+			(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
+		goto cleanup;
+	}
+
+	if (StrCmpW(algo_str, BCRYPT_RSA_ALGORITHM) == 0) {
+		priv->pk = GNUTLS_PK_RSA;
+		priv->sign_algo = GNUTLS_SIGN_RSA_SHA256;
+		enc_too = 1;
+	} else if (StrCmpW(algo_str, BCRYPT_DSA_ALGORITHM) == 0) {
+		priv->pk = GNUTLS_PK_DSA;
+		priv->sign_algo = GNUTLS_SIGN_DSA_SHA1;
+	} else if (StrCmpW(algo_str, BCRYPT_ECDSA_P256_ALGORITHM) == 0) {
+		priv->pk = GNUTLS_PK_EC;
+		priv->sign_algo = GNUTLS_SIGN_ECDSA_SHA256;
+	} else if (StrCmpW(algo_str, BCRYPT_ECDSA_P384_ALGORITHM) == 0) {
+		priv->pk = GNUTLS_PK_EC;
+		priv->sign_algo = GNUTLS_SIGN_ECDSA_SHA384;
+	} else if (StrCmpW(algo_str, BCRYPT_ECDSA_P521_ALGORITHM) == 0) {
+		priv->pk = GNUTLS_PK_EC;
+		priv->sign_algo = GNUTLS_SIGN_ECDSA_SHA512;
+	} else {
+		_gnutls_debug_log("unknown key algorithm: %ls\n",
+					algo_str);
+		ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
+		goto cleanup;
+	}
+	priv->nc = nc;
+
+	ret = gnutls_privkey_import_ext3(pkey, priv, cng_sign,
+						(enc_too !=
+						0) ? cng_decrypt : NULL,
+						cng_deinit, cng_info, 0);
+ cleanup:
+	if (ret < 0) {
+		if (nc != 0)
+			pNCryptFreeObject(nc);
+	}
+	return ret;
+}
+
 /*-
  * _gnutls_privkey_import_system:
  * @pkey: The private key
@@ -613,25 +777,20 @@ static int cng_info(gnutls_privkey_t key, unsigned int flags, void *userdata)
  -*/
 int _gnutls_privkey_import_system_url(gnutls_privkey_t pkey, const char *url)
 {
-#if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP)
+#if !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP) && _WIN32_WINNT < 0x0A00	/*win10 */
     return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
-#else
+#else /* WINAPI_PARTITION_DESKTOP || _WIN32_WINNT_WIN10 */
 	uint8_t id[MAX_WID_SIZE];
 	HCERTSTORE store = NULL;
 	size_t id_size;
 	const CERT_CONTEXT *cert = NULL;
 	CRYPT_HASH_BLOB blob;
 	CRYPT_KEY_PROV_INFO *kpi = NULL;
-	NCRYPT_KEY_HANDLE nc = NULL;
-	HCRYPTPROV hCryptProv = NULL;
 	NCRYPT_PROV_HANDLE sctx = NULL;
 	DWORD kpi_size;
 	SECURITY_STATUS r;
-	int ret, enc_too = 0;
-	WCHAR algo_str[64];
-	DWORD algo_str_size = 0;
+	int ret;
 	priv_st *priv;
-	DWORD i, dwErrCode = 0;
 
 	if (ncrypt_init == 0)
 		return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
@@ -702,157 +861,31 @@ int _gnutls_privkey_import_system_url(gnutls_privkey_t pkey, const char *url)
 	r = pNCryptOpenStorageProvider(&sctx, kpi->pwszProvName, 0);
 	if (!FAILED(r)) {	/* if this works carry on with CNG */
 
-		r = pNCryptOpenKey(sctx, &nc, kpi->pwszContainerName, 0, 0);
-		if (FAILED(r)) {
-			ret =
-			    gnutls_assert_val
-			    (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
-			goto cleanup;
-		}
-
-		r = pNCryptGetProperty(nc, NCRYPT_ALGORITHM_PROPERTY,
-				       (BYTE *) algo_str, sizeof(algo_str),
-				       &algo_str_size, 0);
-		if (FAILED(r)) {
-			ret =
-			    gnutls_assert_val
-			    (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
-			goto cleanup;
-		}
-
-		if (StrCmpW(algo_str, BCRYPT_RSA_ALGORITHM) == 0) {
-			priv->pk = GNUTLS_PK_RSA;
-			priv->sign_algo = GNUTLS_SIGN_RSA_SHA256;
-			enc_too = 1;
-		} else if (StrCmpW(algo_str, BCRYPT_DSA_ALGORITHM) == 0) {
-			priv->pk = GNUTLS_PK_DSA;
-			priv->sign_algo = GNUTLS_SIGN_DSA_SHA1;
-		} else if (StrCmpW(algo_str, BCRYPT_ECDSA_P256_ALGORITHM) == 0) {
-			priv->pk = GNUTLS_PK_EC;
-			priv->sign_algo = GNUTLS_SIGN_ECDSA_SHA256;
-		} else if (StrCmpW(algo_str, BCRYPT_ECDSA_P384_ALGORITHM) == 0) {
-			priv->pk = GNUTLS_PK_EC;
-			priv->sign_algo = GNUTLS_SIGN_ECDSA_SHA384;
-		} else if (StrCmpW(algo_str, BCRYPT_ECDSA_P521_ALGORITHM) == 0) {
-			priv->pk = GNUTLS_PK_EC;
-			priv->sign_algo = GNUTLS_SIGN_ECDSA_SHA512;
-		} else {
-			_gnutls_debug_log("unknown key algorithm: %ls\n",
-					  algo_str);
-			ret = gnutls_assert_val(GNUTLS_E_UNKNOWN_PK_ALGORITHM);
-			goto cleanup;
-		}
-		priv->nc = nc;
-
-		ret = gnutls_privkey_import_ext3(pkey, priv, cng_sign,
-						 (enc_too !=
-						  0) ? cng_decrypt : NULL,
-						 cng_deinit, cng_info, 0);
+		ret = privkey_import_ncrypt(pkey, url, priv, kpi, &sctx);
 		if (ret < 0) {
 			gnutls_assert();
 			goto cleanup;
 		}
 	} else {
+#if !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
+		/* CAPI is not supported in UWP */
+		return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
+#else /* WINAPI_PARTITION_DESKTOP */
 		/* this should be CAPI */
 		_gnutls_debug_log
 		    ("error in opening CNG keystore: %x from %ls\n", (int)r,
 		     kpi->pwszProvName);
 
-		if (CryptAcquireContextW(&hCryptProv,
-					 kpi->pwszContainerName,
-					 kpi->pwszProvName,
-					 kpi->dwProvType, kpi->dwFlags)) {
-			for (i = 0; i < kpi->cProvParam; i++)
-				if (!CryptSetProvParam(hCryptProv,
-						       kpi->rgProvParam[i].
-						       dwParam,
-						       kpi->rgProvParam[i].
-						       pbData,
-						       kpi->rgProvParam[i].
-						       dwFlags)) {
-					dwErrCode = GetLastError();
-					break;
-				};
-		} else {
-			dwErrCode = GetLastError();
-		}
-
-		if (ERROR_SUCCESS != dwErrCode) {
-			_gnutls_debug_log
-			    ("error in getting cryptprov: %d from %s\n",
-			     (int)GetLastError(), url);
-			ret =
-			    gnutls_assert_val
-			    (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
-			goto cleanup;
-		}
-
-		{
-			BYTE buf[100 + sizeof(PROV_ENUMALGS_EX) * 2];
-			PROV_ENUMALGS_EX *pAlgo = (PROV_ENUMALGS_EX *) buf;
-			DWORD len = sizeof(buf);
-
-			if (CryptGetProvParam
-			    (hCryptProv, PP_ENUMALGS_EX, buf, &len,
-			     CRYPT_FIRST)) {
-				DWORD hash = 0;
-				do {
-					switch (pAlgo->aiAlgid) {
-					case CALG_RSA_SIGN:
-						priv->pk = GNUTLS_PK_RSA;
-						enc_too = 1;
-						break;
-					case CALG_DSS_SIGN:
-						priv->pk =
-						    priv->pk ==
-						    GNUTLS_PK_RSA ?
-						    GNUTLS_PK_RSA :
-						    GNUTLS_PK_DSA;
-						break;
-					case CALG_SHA1:
-						hash = 1;
-						break;
-					case CALG_SHA_256:
-						hash = 256;
-						break;
-					default:
-						break;
-					}
-
-					len = sizeof(buf);	// reset the buffer size
-				} while (CryptGetProvParam
-					 (hCryptProv, PP_ENUMALGS_EX, buf, &len,
-					  CRYPT_NEXT));
-
-				if (priv->pk == GNUTLS_PK_DSA)
-					priv->sign_algo = GNUTLS_SIGN_DSA_SHA1;
-				else
-					priv->sign_algo =
-					    (hash >
-					     1) ? GNUTLS_SIGN_RSA_SHA256 :
-					    GNUTLS_SIGN_RSA_SHA1;
-			}
-		}
-
-		priv->hCryptProv = hCryptProv;
-		priv->dwKeySpec = kpi->dwKeySpec;
-
-		ret = gnutls_privkey_import_ext3(pkey, priv, capi_sign,
-						 (enc_too !=
-						  0) ? capi_decrypt : NULL,
-						 capi_deinit, capi_info, 0);
+		ret = privkey_import_capi(pkey, url, priv, kpi);
 		if (ret < 0) {
 			gnutls_assert();
 			goto cleanup;
 		}
+#endif /* WINAPI_PARTITION_DESKTOP */
 	}
 	ret = 0;
  cleanup:
 	if (ret < 0) {
-		if (nc != 0)
-			pNCryptFreeObject(nc);
-		if (hCryptProv != 0)
-			CryptReleaseContext(hCryptProv, 0);
 		gnutls_free(priv);
 	}
 	if (sctx != 0)
@@ -865,7 +898,7 @@ int _gnutls_privkey_import_system_url(gnutls_privkey_t pkey, const char *url)
 
 	CertCloseStore(store, 0);
 	return ret;
-#endif
+#endif /* WINAPI_PARTITION_DESKTOP || _WIN32_WINNT_WIN10 */
 }
 
 int _gnutls_x509_crt_import_system_url(gnutls_x509_crt_t crt, const char *url)
@@ -1487,13 +1520,16 @@ int _gnutls_system_key_init(void)
 		ret = GNUTLS_E_CRYPTO_INIT_FAILED;
 		goto fail;
 	}
-#endif
 	ncrypt_init = 1;
 
 	return 0;
  fail:
 	FreeLibrary(ncrypt_lib);
 	return ret;
+#else
+    ncrypt_init = 1;
+    return 0;
+#endif
 }
 
 void _gnutls_system_key_deinit(void)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index a41067f5af..11a083c637 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -567,6 +567,7 @@ endif
 
 if !WINDOWS
 indirect_tests += datefudge-check
+noinst_PROGRAMS = datefudge-check
 endif
 
 check_PROGRAMS = $(cpptests) $(ctests) $(indirect_tests)