JDK-6782021

Oddbjørn Kvalsund oddbjornkvalsund at gmail.com
Tue Aug 7 05:36:10 UTC 2018 

Hi,

I was just bit by this issue [JDK-6782021] It is not possible to read local
computer certificates with the SunMSCAPI provider
<https://bugs.openjdk.java.net/browse/JDK-6782021> and from StackOverflow I
notice that several other people (see [1][2][3]) have come across the same
problem. Coming up on the 10th anniversary for this issue; any chance we'll
see some love for it? Or at least a comment on the issue on what timeline
to expect and a list of workaround/alternative solutions for the meantime?

Background: I'm working with a company having primarily Microsoft
infrastructure and they have a routine where all Windows servers
automatically receive new certificates/keys when the old ones expire. These
certificates are installed in the "Local Computer → Private" certificate
store. They're quite fond of this system and hesitant to diverge from it,
so my preferred option is to just "get with the program". To temporarily
get around JDK-6782021 I created a small utility [5] that intercepts the
JDKs call to 'CertOpenSystemStore' [4] and presents a read-only virtual
certificate store combining all certificates and keys from the "Current
User" and "Local Computer" certificate stores, but this may have unexpected
implications that I've not yet uncovered, so I'd much prefer not having to
do this. A more thorough solution would be to use the commercial Pheox
JCAPI [6] product, but this is rather expensive and way overkill for what I
(and most others, it seems) need.

References:
[1]
https://stackoverflow.com/questions/3612962/access-local-machine-certificate-store-in-java/51708360
[2]
https://stackoverflow.com/questions/51205158/access-windows-local-machine-personal-keystore-with-java-sunmscapi
[3]
https://stackoverflow.com/questions/51193143/use-jna-to-get-local-machine-certificate
[4]
http://hg.openjdk.java.net/jdk/jdk/file/tip/src/jdk.crypto.mscapi/windows/native/libsunmscapi/security.cpp
[5] https://github.com/oddbjornkvalsund/wcsa
[6] https://pheox.com/products/jcapi/

Best regards,
Oddbjørn Kvalsund
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20180807/d10f5c5a/attachment.htm>

More information about the security-dev mailing list