JDK-6782021 : It is not possible to read local computer certificates with the SunMSCAPI provider
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Affected Version: 6
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2008-12-08
  • Updated: 2023-07-29
  • Resolved: 2022-05-17
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 17 JDK 19
11.0.18Fixed 17.0.5Fixed 19 b23Fixed
Related Reports
CSR :  
JDK-8284850 - It is not possible to read local computer certificates with the SunMSCAPI provider
Relates :  
JDK-8313367 - SunMSCAPI cannot read Local Computer certs w/o Windows elevation
Relates :  
JDK-8026953 - Add support for MS Cryptography next generation (CNG)
Sub Tasks
JDK-8286141 :  
Doc change For JDK-6782021 (The KeyStore row of the SunMSCAPI provider needs to be updated) - Resolved
JDK-8286790 :  
Release Note: Windows KeyStore Updated to Include Access to the Local Machine Location - Closed
Description
A DESCRIPTION OF THE REQUEST :
Only 2 keystore types are available with the SunMSCAPI provider (Windows-MY  / Windows-ROOT)..
None of this 2 types allows to retrieve the local computer certificates, only the user ertificates can be seen.


JUSTIFICATION :
There is no way to access the local computer certificates using java.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Either define a new store type like  Windows-LOCALCOMPUTER,
or also list  the computer local certificates when using the Windows-MY store type.
ACTUAL -
Listing the certificates using the Windows-MY keystore only retrieves the user cerficiates, excluding the local computer certificates.

---------- BEGIN SOURCE ----------
// first make sure to have a computer certificate installed in the windows local computer keystore
// use the certificate managament console if necessary (MMC), select the certificates component, then select computer account instead of user account
// then this code will list the certificates found by the SunMSCAPI provider

		try {
			KeyStore ks = KeyStore.getInstance("Windows-MY");
			ks.load(null, null) ;
			Enumeration<String> en = ks.aliases() ;
		 
			while (en.hasMoreElements()) {
				String aliasKey = (String)en.nextElement() ;
				X509Certificate c = (X509Certificate)ks.getCertificate(aliasKey) ;
				System.out.println("---> alias : " + aliasKey) ;
				System.out.println("    Certificat subjectDN : " + c.getSubjectDN() ) ;
				System.out.println("    Certificat issuerDN : " + c.getIssuerDN() ) ;
			}
		 
		} catch (Exception e) {
			e.printStackTrace();
		}

---------- END SOURCE ----------
Comments
Fix-Request Backport of e3c178d6d87c9e0e2a75cddc72d802cf9124420e Patch applies cleanly Tested on windows, passes tier1 (via GH Actions) and manual tests provided in the patch
01-09-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk11u-dev/pull/1348 Date: 2022-08-30 21:01:49 +0000
30-08-2022
We received an answer wrt. CSR for backports on the CSR itself, just waiting for jdk17u-fix-yes
12-08-2022
We are backporting this and have a PR (https://github.com/openjdk/jdk17u-dev/pull/630) but we are not clear on how we progress backporting the existing CSR request (https://bugs.openjdk.org/browse/JDK-8284850) for the backport?
10-08-2022
Fix-Request Backport of 5e5500cbd79b40a32c20547ea0cdb81ef6904a3d Patch applies cleanly Tested on windows, passes tier1 (via GH Actions) and manual tests provided in the patch
10-08-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk17u-dev/pull/630 Date: 2022-08-10 18:50:49 +0000
10-08-2022
Changeset: 5e5500cb Author: Mat Carter <54955201+macarte@users.noreply.github.com> Committer: Weijun Wang <weijun@openjdk.org> Date: 2022-05-17 02:41:36 +0000 URL: https://git.openjdk.java.net/jdk/commit/5e5500cbd79b40a32c20547ea0cdb81ef6904a3d
17-05-2022
Note that jtreg tests have been added to the PR
16-05-2022
Use the following application to enumerate the certificates/keys in each store using these commands: 1) java AcpTest.java Windows-MY 2) java AcpTest.java Windows-ROOT 3) java AcpTest.java Windows-MY-CURRENTUSER 4) java AcpTest.java Windows-ROOT-CURRENTUSER 5) java AcpTest.java Windows-MY-LOCALMACHINE 6) java AcpTest.java Windows-ROOT-LOCALMACHINE Output from 1 & 3 should be identical, as should 2 & 4. 5 & 6 require admin privledges (without you should see java.security.KeyStoreException: Access is denied) import java.security.*; import java.security.cert.X509Certificate; import java.util.Enumeration; class AcpTest { public static void main(String[] args) throws Exception { try { System.out.println("Access keystore: " + args[0]); KeyStore keyStore = KeyStore.getInstance(args[0]); keyStore.load(null, null); Enumeration<String> en = keyStore.aliases(); while (en.hasMoreElements()) { String aliasKey = (String)en.nextElement(); X509Certificate c = (X509Certificate)keyStore.getCertificate(aliasKey); System.out.println("---> alias : " + aliasKey); System.out.println(" -- Cert subjectDN : " + c.getSubjectDN()); System.out.println("---> alias " + c.getIssuerDN()); System.out.println(""); } System.out.println("KeyStore loaded: " + keyStore); System.out.println("KeyStore provider: " + keyStore.getProvider()); System.out.println("KeyStore size: " + keyStore.size()); System.out.println("Success!"); } catch (Exception ex) { System.out.println("Error!"); ex.printStackTrace(); } } }
03-05-2022
On Windows you can now access the local machine keystores using the strings "Windows-MY-LOCALMACHINE" and "Windows-ROOT-LOCALMACHINE"; note the application requires admin privileges. "Windows-MY" and "Windows-ROOT" remain unchanged, however given these original keystore strings mapped to the current user, I added "Windows-MY-CURRENTUSER" and "Windows-ROOT-CURRENTUSER" so that a developer can explicitly specify the current user location. These two new strings simply map to the original two strings, i.e. no duplication of code paths etc No new tests added, keystore functionality and API remains unchanged, the local machine keystore types would require the tests to run in admin mode Tested on windows, passes tier1 and tier2 tests
12-04-2022
A pull request was submitted for review. URL: https://git.openjdk.java.net/jdk/pull/8211 Date: 2022-04-12 19:03:40 +0000
12-04-2022
A pull request was submitted for review. URL: https://git.openjdk.java.net/jdk/pull/8210 Date: 2022-04-12 16:55:28 +0000
12-04-2022
We can add "Windows-MY-LOCALMACHINE" and "Windows-ROOT-LOCALMACHINE" as new store types.
11-04-2022
I emailed Weijun (assignee) last year to ask about progress as I have a customer request for this feature; with no response and no activity on this issue I went ahead and prototyped the basic functionality on 11 and 18. Earlier today I emailed security-dev to propose that we complete this enhancement (https://mail.openjdk.java.net/pipermail/security-dev/2022-March/029641.html)
31-03-2022
Is somebody working on this issue? Was there a conclusion why to not solve it?
09-02-2022
Posted by Bernd Eckenfels on security-dev http://mail.openjdk.java.net/pipermail/security-dev/2018-August/017824.html: "What also should be mentioned is that the old CAPI clients cannot access CNG Keys. Which is especially a pity since only the new keys benefit from the cryptographic process isolation (not to mention the confusion that it’s hard to see which provide hosts them)"
08-08-2018
See also http://mail.openjdk.java.net/pipermail/security-dev/2018-August/017808.html for a related discussion of this issue.
08-08-2018