JDK-6782021

Seán Coffey sean.coffey at oracle.com
Wed Aug 8 08:35:17 UTC 2018 

Vinnie is not working on security-libs any more and I think the JBS 
report should be marked as unassigned.  If any contributors want to 
suggest a patch, then I think it can be reviewed on this list!

regards,
Sean.

On 07/08/2018 06:36, Oddbjørn Kvalsund wrote:
> Hi,
>
> I was just bit by this issue [JDK-6782021] It is not possible to read 
> local computer certificates with the SunMSCAPI provider 
> <https://bugs.openjdk.java.net/browse/JDK-6782021> and from 
> StackOverflow I notice that several other people (see [1][2][3]) have 
> come across the same problem. Coming up on the 10th anniversary for 
> this issue; any chance we'll see some love for it? Or at least a 
> comment on the issue on what timeline to expect and a list of 
> workaround/alternative solutions for the meantime?
>
> Background: I'm working with a company having primarily Microsoft 
> infrastructure and they have a routine where all Windows servers 
> automatically receive new certificates/keys when the old ones expire. 
> These certificates are installed in the "Local Computer → Private" 
> certificate store. They're quite fond of this system and hesitant to 
> diverge from it, so my preferred option is to just "get with the 
> program". To temporarily get around JDK-6782021 I created a small 
> utility [5] that intercepts the JDKs call to 'CertOpenSystemStore' [4] 
> and presents a read-only virtual certificate store combining all 
> certificates and keys from the "Current User" and "Local Computer" 
> certificate stores, but this may have unexpected implications that 
> I've not yet uncovered, so I'd much prefer not having to do this. A 
> more thorough solution would be to use the commercial Pheox JCAPI [6] 
> product, but this is rather expensive and way overkill for what I (and 
> most others, it seems) need.
>
> References:
> [1] 
> https://stackoverflow.com/questions/3612962/access-local-machine-certificate-store-in-java/51708360
> [2] 
> https://stackoverflow.com/questions/51205158/access-windows-local-machine-personal-keystore-with-java-sunmscapi
> [3] 
> https://stackoverflow.com/questions/51193143/use-jna-to-get-local-machine-certificate
> [4] 
> http://hg.openjdk.java.net/jdk/jdk/file/tip/src/jdk.crypto.mscapi/windows/native/libsunmscapi/security.cpp
> [5] https://github.com/oddbjornkvalsund/wcsa
> [6] https://pheox.com/products/jcapi/
>
> Best regards,
> Oddbjørn Kvalsund

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20180808/0af80f7f/attachment.htm>

More information about the security-dev mailing list