Summary

Expand the Windows KeyStore support in the SunMSCAPI provider to include access to the local machine location.

Problem

The native KeyStore provider for Windows (SunMSCAPI) provides access to certificates and keys stored in the Windows-MY (Personal) and Windows-ROOT (Trusted Root Certificate Authorities) stores. However, these stores are associated with a single user account [1]. There are scenarios, especially in cloud environments, where keys and certificates are associated with the local machine [2] such that they would be available to all users. Currently, in order to access the stores associated with the local machine, Java developers have to write their own wrappers in JNI.

[1] https://docs.microsoft.com/en-us/windows/win32/seccrypto/system-store-locations#cert_system_store_current_user

[2] https://docs.microsoft.com/en-us/windows/win32/seccrypto/system-store-locations#cert_system_store_local_machine

Solution

Expanding access to the local machine key stores is fairly trivial given that the current windows APIs used by the SunMSCAPI provider already support these scenarios (i.e. a new provider is not required). Keystores across all platforms are identified using a string and by handling the new locations as variants of the existing Windows strings there is no change to the API; but existing documentation will need to be updated [1]

[1] https://docs.oracle.com/en/java/javase/18/security/oracle-providers.html

Specification

The expanded set of strings to be supported are:

• "Windows-MY-LOCALMACHINE"
• "Windows-ROOT-LOCALMACHINE"
• "Windows-MY-CURRENTUSER"
• "Windows-ROOT-CURRENTUSER"

Note that the two strings ending in "-CURRENTUSER" map to the same keys stores as the existing strings supported by the SunMSCAPI provider ("Windows-MY" and "Windows-ROOT"); they are added to more explicitly identify that access to the current user certificates and keys is being requested, rather than implicitly as was the previous case. There is no plan to deprecate support for the existing strings

The pull request [1] details the changes, but I will summarize the most important parts here:

1. Extend support in KeyStoreUtil.java so that the new strings are clearly identified as being Windows stores

2. Add the provider hooks in SunMSCAPI so that the new key stores can be discovered or opened explicitly

3. Update the Windows API integration to support the new store location

Outside of the pull request the following changes should be made to the existing "JDK Providers Documentation" [4]

Existing:

• Windows-MY : The keystore type that identifies the native Microsoft Windows MY keystore. It contains the user's personal certificates and associated private keys.

• Windows-ROOT: The keystore type that identifies the native Microsoft Windows ROOT keystore. It contains the certificates of Root certificate authorities and other self-signed trusted certificates.

Proposed:

• Windows-MY / Windows-MY-CURRENTUSER : The keystore type that identifies the native Microsoft Windows MY keystore. It contains the user's personal certificates and associated private keys that are only accessible to the current user account.

• Windows-ROOT / Windows-ROOT-CURRENTUSER: The keystore type that identifies the native Microsoft Windows ROOT keystore. It contains the certificates of Root certificate authorities and other self-signed trusted certificates that are only accessible to the current user account.

• Windows-MY-LOCALMACHINE : The keystore type that identifies the native Microsoft Windows MY keystore. It contains certificates and associated private keys that are accessible to all accounts on the system.

• Windows-ROOT-LOCALMACHINE: The keystore type that identifies the native Microsoft Windows ROOT keystore. It contains the certificates of Root certificate authorities and other self-signed trusted certificates that are accessible to all accounts on the system.

[1] https://github.com/openjdk/jdk/pull/8211/files

[2] https://docs.microsoft.com/en-us/windows/win32/seccrypto/hcryptprov-or-ncrypt-key-handle

[3] https://docs.microsoft.com/en-us/windows/win32/seccrypto/hcryptprov

[4] https://docs.oracle.com/en/java/javase/18/security/oracle-providers.html