Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8284850

It is not possible to read local computer certificates with the SunMSCAPI provider

    XMLWordPrintable

    Details

    • Subcomponent:
    • Compatibility Risk:
      minimal
    • Scope:
      JDK

      Description

      Summary

      Expand the Windows KeyStore support in the SunMSCAPI provider to include access to the local machine location.

      Problem

      The native KeyStore provider for Windows (SunMSCAPI) provides access to certificates and keys stored in the Windows-MY (Personal) and Windows-ROOT (Trusted Root Certificate Authorities) stores. However, these stores are associated with a single user account [1]. There are scenarios, especially in cloud environments, where keys and certificates are associated with the local machine [2] such that they would be available to all users. Currently, in order to access the stores associated with the local machine, Java developers have to write their own wrappers in JNI.

      [1] https://docs.microsoft.com/en-us/windows/win32/seccrypto/system-store-locations#cert_system_store_current_user

      [2] https://docs.microsoft.com/en-us/windows/win32/seccrypto/system-store-locations#cert_system_store_local_machine

      Solution

      Expanding access to the local machine key stores is fairly trivial given that the current windows APIs used by the SunMSCAPI provider already support these scenarios (i.e. a new provider is not required). Keystores across all platforms are identified using a string and by handling the new locations as variants of the existing Windows strings there is no change to the API; but existing documentation will need to be updated [1]

      [1] https://docs.oracle.com/en/java/javase/18/security/oracle-providers.html

      Specification

      The expanded set of strings to be supported are:

      • "Windows-MY-LOCALMACHINE"
      • "Windows-ROOT-LOCALMACHINE"
      • "Windows-MY-CURRENTUSER"
      • "Windows-ROOT-CURRENTUSER"

      Note that the two strings ending in "-CURRENTUSER" map to the same keys stores as the existing strings supported by the SunMSCAPI provider ("Windows-MY" and "Windows-ROOT"); they are added to more explicitly identify that access to the current user certificates and keys is being requested, rather than implicitly as was the previous case. There is no plan to deprecate support for the existing strings

      The pull request [1] details the changes, but I will summarize the most important parts here:

      1. Extend support in KeyStoreUtil.java so that the new strings are clearly identified as being Windows stores

      2. Add the provider hooks in SunMSCAPI so that the new key stores can be discovered or opened explicitly

      3. Update the Windows API integration to support the new store location

      Outside of the pull request the following changes should be made to the existing "JDK Providers Documentation" [4]

      Existing:

      • Windows-MY : The keystore type that identifies the native Microsoft Windows MY keystore. It contains the user's personal certificates and associated private keys.

      • Windows-ROOT: The keystore type that identifies the native Microsoft Windows ROOT keystore. It contains the certificates of Root certificate authorities and other self-signed trusted certificates.

      Proposed:

      • Windows-MY / Windows-MY-CURRENTUSER : The keystore type that identifies the native Microsoft Windows MY keystore. It contains the user's personal certificates and associated private keys that are only accessible to the current user account.

      • Windows-ROOT / Windows-ROOT-CURRENTUSER: The keystore type that identifies the native Microsoft Windows ROOT keystore. It contains the certificates of Root certificate authorities and other self-signed trusted certificates that are only accessible to the current user account.

      • Windows-MY-LOCALMACHINE : The keystore type that identifies the native Microsoft Windows MY keystore. It contains certificates and associated private keys that are accessible to all accounts on the system.

      • Windows-ROOT-LOCALMACHINE: The keystore type that identifies the native Microsoft Windows ROOT keystore. It contains the certificates of Root certificate authorities and other self-signed trusted certificates that are accessible to all accounts on the system.

      [1] https://github.com/openjdk/jdk/pull/8211/files

      [2] https://docs.microsoft.com/en-us/windows/win32/seccrypto/hcryptprov-or-ncrypt-key-handle

      [3] https://docs.microsoft.com/en-us/windows/win32/seccrypto/hcryptprov

      [4] https://docs.oracle.com/en/java/javase/18/security/oracle-providers.html

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              macarte Mat Carter
              Reporter:
              ndcosta Nelson Dcosta (Inactive)
              Reviewed By:
              Weijun Wang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: