RFR 8223063: Support CNG RSA keys
Weijun Wang
weijun.wang at oracle.com
Sun May 5 04:47:20 UTC 2019
OK, the command is now
certutil -v -p changeit -csp "Microsoft Software Key Storage Provider" -user -importpfx MY ks NoRoot,NoExport
Test still passes.
Thanks,
Max
> On May 2, 2019, at 4:09 AM, Bernd Eckenfels <ecki at zusammenkunft.net> wrote:
>
> Max, would it make sense to specify ` -csp "Microsoft Software Key Storage Provider"` to make sure it stores the key in a CNG KSP? (I am not sure what the default provider is). Also maybe make the key non-exportable to make sure key-handles are actually used for the operations?
>
> Gruss
> Bernd
>
>
> --
> http://bernd.eckenfels.net
>
> Von: security-dev <security-dev-bounces at openjdk.java.net> im Auftrag von Weijun Wang <weijun.wang at oracle.com>
> Gesendet: Mittwoch, Mai 1, 2019 7:21 PM
> An: security-dev at openjdk.java.net
> Betreff: Re: RFR 8223063: Support CNG RSA keys
>
> It looks the Mach5 machines are Windows Server 2012 but mine is 2019. I removed the "-f" option and everything looks fine now.
>
> --Max
>
> > On May 1, 2019, at 7:18 AM, Weijun Wang <weijun.wang at oracle.com> wrote:
> >
> > Please take a look at
> >
> > https://cr.openjdk.java.net/~weijun/8223063/webrev.00/
> >
> > Unfortunately, although the new test I added succeeds on my own machine, the "certutil -importPFX" command inside always fail on Mach5 with
> >
> > Command line: [certutil -f -v -p changeit -user -importpfx MY ks NoRoot]
> > A -- A-7626e24d-46df-4ba0-8880-9866bb1-01966
> > A -- A-7626e24d-46df-4ba0-8880-9866bb178ab6
> > CertUtil: -importPFX command FAILED: 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)
> > CertUtil: The requested operation is not supported.
> >
> > Maybe there is a permission issue.
> >
> > I'll study it for more, but If anyone of you can fix it I'll be very happy.
> >
> > Thanks,
> > Max
> >
>
More information about the security-dev
mailing list