RFR 8223063: Support CNG RSA keys
Bernd Eckenfels
ecki at zusammenkunft.net
Wed May 1 20:09:33 UTC 2019
Max, would it make sense to specify ` -csp "Microsoft Software Key Storage Provider"` to make sure it stores the key in a CNG KSP? (I am not sure what the default provider is). Also maybe make the key non-exportable to make sure key-handles are actually used for the operations?
Gruss
Bernd
--
http://bernd.eckenfels.net
________________________________
Von: security-dev <security-dev-bounces at openjdk.java.net> im Auftrag von Weijun Wang <weijun.wang at oracle.com>
Gesendet: Mittwoch, Mai 1, 2019 7:21 PM
An: security-dev at openjdk.java.net
Betreff: Re: RFR 8223063: Support CNG RSA keys
It looks the Mach5 machines are Windows Server 2012 but mine is 2019. I removed the "-f" option and everything looks fine now.
--Max
> On May 1, 2019, at 7:18 AM, Weijun Wang <weijun.wang at oracle.com> wrote:
>
> Please take a look at
>
> https://cr.openjdk.java.net/~weijun/8223063/webrev.00/
>
> Unfortunately, although the new test I added succeeds on my own machine, the "certutil -importPFX" command inside always fail on Mach5 with
>
> Command line: [certutil -f -v -p changeit -user -importpfx MY ks NoRoot]
> A -- A-7626e24d-46df-4ba0-8880-9866bb1-01966
> A -- A-7626e24d-46df-4ba0-8880-9866bb178ab6
> CertUtil: -importPFX command FAILED: 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)
> CertUtil: The requested operation is not supported.
>
> Maybe there is a permission issue.
>
> I'll study it for more, but If anyone of you can fix it I'll be very happy.
>
> Thanks,
> Max
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20190501/5ef9edc6/attachment.htm>
More information about the security-dev
mailing list