Details
-
Enhancement
-
Resolution: Duplicate
-
P4
-
None
-
8u131
-
x86_64
-
windows_7
Description
A DESCRIPTION OF THE REQUEST :
Probably the cause to this lack of support to CNG is because whenever the "sunmscapi.dll" calls the CryptAcquireCertificatePrivateKey function, it is not using the CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG flag, or the CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG flag, which are needed in order to properly use private keys stored via CNG, according to the function documentation:
https://msdn.microsoft.com/en-en/library/windows/desktop/aa379885(v=vs.85).aspx
JUSTIFICATION :
This enhancement is necessary because Java users that have their certificates and private keys stored in CNG providers are not able to use them to authenticate themselves, or create digital signatures and encrypted messages.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The private key stored using CNG should be available to be used in a Java application.
ACTUAL -
The private key stored using CNG is not available to be used in a Java application.
---------- BEGIN SOURCE ----------
import java.security.KeyStore;
import java.security.PrivateKey;
public class CNGFailure {
public static void main(String[] args) {
//CHANGE THE ALIAS TO MATCH AN EXISTING CERTIFICATE STORED VIA CNG
String alias = "My CNG Stored Certificate";
try {
KeyStore ks = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
ks.load(null, null);
PrivateKey pk = (PrivateKey) ks.getKey(alias, null);
if (pk == null) {
System.err.println("Unable to get the private key.");
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
---------- END SOURCE ----------
Probably the cause to this lack of support to CNG is because whenever the "sunmscapi.dll" calls the CryptAcquireCertificatePrivateKey function, it is not using the CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG flag, or the CRYPT_ACQUIRE_PREFER_NCRYPT_KEY_FLAG flag, which are needed in order to properly use private keys stored via CNG, according to the function documentation:
https://msdn.microsoft.com/en-en/library/windows/desktop/aa379885(v=vs.85).aspx
JUSTIFICATION :
This enhancement is necessary because Java users that have their certificates and private keys stored in CNG providers are not able to use them to authenticate themselves, or create digital signatures and encrypted messages.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The private key stored using CNG should be available to be used in a Java application.
ACTUAL -
The private key stored using CNG is not available to be used in a Java application.
---------- BEGIN SOURCE ----------
import java.security.KeyStore;
import java.security.PrivateKey;
public class CNGFailure {
public static void main(String[] args) {
//CHANGE THE ALIAS TO MATCH AN EXISTING CERTIFICATE STORED VIA CNG
String alias = "My CNG Stored Certificate";
try {
KeyStore ks = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
ks.load(null, null);
PrivateKey pk = (PrivateKey) ks.getKey(alias, null);
if (pk == null) {
System.err.println("Unable to get the private key.");
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
---------- END SOURCE ----------
Attachments
Issue Links
- duplicates
-
-
- Closed
-