JDK-8133634 ava gets SunMSCAPI entry as TrustedCertificateEntry instead of PrivateKeyEntry

Wed Mar 1 23:43:17 UTC 2017

Hello,

regarding the Bug https://bugs.openjdk.java.net/browse/JDK-8133634
(assigned to Vincent) I can help.

When importing the P12 container on a recent Windows it gets by default
imported under a CSP provider from the CNG API and not in CAPI legacy store:

Import CLI or certmgr.msc (exportable or not):

certutil.exe -user -f -v -importpfx "ACA PF Administrativo Activo.p12"
>

Consequently it does not show up as having a key in the Windows KeyStore
implementation:

> keytool -list -storetype Windows-MY
>
...
>
EA=demo.empleado at cgae.redabogacia.org, .... trustedCertEntry,
>
Zertifikat-Fingerprint (SHA1):
> 89:69:78:75:52:6A:DB:01:9B:95:42:63:19:E3:00:9E:60:5E:1D:EF
>

You can verify the cryptographic provider used with the Windows tool:

certutil.exe -store -user my
>

It will list the certificate and mention "Microsoft Base Crytographic
Provider 1.0"

If the P12 is deleted and re-imported with the following command the key
will show up in the legacy keystore:

$ certutil -csp “Microsoft Strong Cryptographic Provider” -user -f -v
> -importpfx "ACA PF Administrativo Activo.p12"
> ...

Das Zertifikat "EA=demo.empleado at cgae.redabogacia.org, ..." wurde zum
> Speicher hinzugefügt.
>

Again certutil shows us the (better) provider:

CertUtil.exe -store -user my
> my "Eigene Zertifikate"
> ================ Zertifikat 0 ================
> Seriennummer: 659d357f6f05af385114e692393b5bb0
> Aussteller: CN=ACA...

Antragsteller: E=demo.empleado at cgae.redabogacia.org, ..
>
Kein Stammzertifikat
> Zertifikathash(sha1): 89 69 78 75 52 6a db 01 9b 95 42 63 19 e3 00 9e 60
> 5e 1d ef
>   Schlüsselcontainer = {0F1CB13E-CA6C-46D0-9C74-25F7B3C780D9}
>   Eindeutiger Containername:
> 512a12f4d213aef6c4cadf5a5efc19cf_74be6a0b-923e-4199-a6c6-b2089f1643c4
>   Anbieter = Microsoft Base Cryptographic Provider v1.0
>

And consequently keytool will list it as a key:

> keytool -list -storetype Windows-MY
> ...
> EA=demo.empleado at cgae.redabogacia.org, CN=NOMBRE..., PrivateKeyEntry,
> ...
>

It is very unfortunate that SunMSCAPI provider uses the old CAPI and not
the CNG versions, because the new versions benefit for example from a
Commons Criteria certification where the key material in stored in the
priveledged KeyIso service, unreachable by the application. (And I guess it
would solve a few of the problems with alternative sign formats, with
unavailable smartcard stubs etc.

So any idea if we see CNG support any time soon, it is available since
Vista.

Gruss
Bernd

PS: can somebody extend the JIRA with my research (attribution welcome).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20170302/7dd24b0a/attachment.htm>