JDK-8284850 : It is not possible to read local computer certificates with the SunMSCAPI provider
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Priority: P4
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 11-pool,17-pool,18-pool,19
  • Submitted: 2022-04-13
  • Updated: 2024-07-01
  • Resolved: 2022-05-16
Related Reports
CSR :  
JDK-6782021 - It is not possible to read local computer certificates with the SunMSCAPI provider
Relates :  
JDK-8335388 - SunMSCAPI Provider behavior change
Description
Summary
-------

Expand the Windows KeyStore support in the SunMSCAPI provider to include access to the local machine location. 

Problem
-------

The native KeyStore provider for Windows (SunMSCAPI) provides access to certificates and keys stored in the Windows-MY (Personal) and Windows-ROOT (Trusted Root Certificate Authorities) stores.  However, these stores are associated with a single user account [1]. There are scenarios, especially in cloud environments, where keys and certificates are associated with the local machine [2] such that they would be available to all users. Currently, in order to access the stores associated with the local machine, Java developers have to write their own wrappers in JNI. 

[1] https://docs.microsoft.com/en-us/windows/win32/seccrypto/system-store-locations#cert_system_store_current_user

[2] https://docs.microsoft.com/en-us/windows/win32/seccrypto/system-store-locations#cert_system_store_local_machine

Solution
--------

Expanding access to the local machine key stores is fairly trivial given that the current windows APIs used by the SunMSCAPI provider already support these scenarios (i.e. a new provider is not required).  Keystores across all platforms are identified using a string and by handling the new locations as variants of the existing Windows strings there is no change to the API; but existing documentation will need to be updated [1]

[1] https://docs.oracle.com/en/java/javase/18/security/oracle-providers.html

Specification
-------------

The expanded set of strings to be supported are:

 - "Windows-MY-LOCALMACHINE"
 - "Windows-ROOT-LOCALMACHINE"
 - "Windows-MY-CURRENTUSER"
 - "Windows-ROOT-CURRENTUSER"
	
Note that the two strings ending in "-CURRENTUSER" map to the same keys stores as the existing strings supported by the SunMSCAPI provider ("Windows-MY" and "Windows-ROOT"); they are added to more explicitly identify that access to the current user certificates and keys is being requested, rather than implicitly as was the previous case.  There is no plan to deprecate support for the existing strings

The pull request [1] details the changes, but I will summarize the most important parts here:

1. Extend support in KeyStoreUtil.java so that the new strings are
    clearly identified as being Windows stores 

2. Add the provider hooks in
    SunMSCAPI so that the new key stores can be discovered or opened
    explicitly

3. Update the Windows API integration to support the new store location


Outside of the pull request the following changes should be made to the existing "JDK Providers Documentation" [4]

Existing:

- **Windows-MY** : The keystore type that identifies the native Microsoft Windows MY keystore. It contains the user's personal certificates and associated private keys.
    		
- **Windows-ROOT**: The keystore type that identifies the native Microsoft Windows ROOT keystore. It contains the certificates of Root certificate authorities and other self-signed trusted certificates.
	
Proposed: 
		
- **Windows-MY / Windows-MY-CURRENTUSER** : The keystore type that identifies the native Microsoft Windows MY keystore. It contains the user's personal certificates and associated private keys that are only accessible to the current user account.

-  **Windows-ROOT / Windows-ROOT-CURRENTUSER**: The keystore type that identifies the native Microsoft Windows ROOT keystore. It contains the certificates of Root certificate authorities and other self-signed trusted certificates that are only accessible to the current user account.

-  **Windows-MY-LOCALMACHINE** : The keystore type that identifies the native Microsoft Windows MY keystore. It contains certificates and associated private keys that are accessible to all accounts on the system.

-  **Windows-ROOT-LOCALMACHINE**: The keystore type that identifies the native Microsoft Windows ROOT keystore. It contains the certificates of Root certificate authorities and other self-signed trusted certificates that are accessible to all accounts on the system.
	
	
[1] https://github.com/openjdk/jdk/pull/8211/files

[2] https://docs.microsoft.com/en-us/windows/win32/seccrypto/hcryptprov-or-ncrypt-key-handle

[3] https://docs.microsoft.com/en-us/windows/win32/seccrypto/hcryptprov

[4] https://docs.oracle.com/en/java/javase/18/security/oracle-providers.html
Comments
Thanks you! There are no changes so I'll continue with the next step of looking for a sponsor :-)
12-08-2022
The CSR already has a fixVersion for 17-pool, so unless the details in the backport are different such that the information in this CSR is not the same or needs to be updated, you don't need to file another CSR. See the Question "How should I get CSR review for multiple release trains?" in the [CSR FAQ][1] for more details. [1]: https://wiki.openjdk.org/display/csr/CSR+FAQs
12-08-2022
@Weijun Wang - We are backporting the associated JBS (https://bugs.openjdk.org/browse/JDK-6782021) and have a PR (https://github.com/openjdk/jdk17u-dev/pull/630) but we are not clear on how we progress the CSR request for the backport, could you offer some guidance?
10-08-2022
[~mullan], yes, since the "Security Developer’s Guide" is JDK documentation, the scope is JDK. Moving to Approved.
16-05-2022
Updated release notes: https://bugs.openjdk.java.net/browse/JDK-8286790 Updated scope to JDK
16-05-2022
I've created a blank release note at https://bugs.openjdk.java.net/browse/JDK-8286790. Will ask Mat to provide the content. [~macarte] There is a guide at https://openjdk.java.net/guide/#release-notes. As for the doc change, the keystore row for the SunMSCAPI provider in JDK 11u and JDK 19-ea are exactly the same, any change will also be the same.
15-05-2022
I would think that the scope of this request is JDK and not Implementation since the KeyStore types are exposed to and need to be specified by applications to be used, and you would at least want that to be consistent across different JDK implementations. What would be your advice [~darcy]?
12-05-2022
I've updated the fixVersion to use "-pool" values for the earlier release trains. If the diff of the change is different in the update releases compared to the feature release, JDK 19, then a separate CSR should be filed. There is a separate process to create release notes. tl'dr -- a label is added to the main issue in JBS and then a subtask is used to hold the text of the note.
12-05-2022
I've updated the fix versions to include 17 and 11. Weijun filed a task to update the documentation: https://bugs.openjdk.java.net/browse/JDK-8286141 From the template I assumed that the summary would be included in the release notes, if this is not the case and I need to privde this elsewhere please let me know (I re-read the CSR process on the wiki and can't find any reference)
12-05-2022
Moving to Provisional, not Approved. How is this change planned to be documented? Release note? No documentation? Is the intention to be able to backport this change?
11-05-2022