Proposal: Extend Windows KeyStore support to include access to the local machine location

Wei-Jun Wang weijun.wang at oracle.com
Fri Apr 1 22:15:41 UTC 2022 

Hi Mat,

We have 2 main concerns:

1. In Java's KeyStore a certificate entry is called TrustedCertificateEntry. The name implies that the certificate is trusted for any purpose. We don't want some certificates that were not meant to be trusted shown up.

2. PrivateKeyEntry is (IMO) mainly used for client auth in TLS. We don't want new entries suddenly appear there and automatically chosen by a key manager.

It looks OK to enhance Windows-ROOT to cover more root CA certs in your organization but including new entries in Windows-MY is a little dangerous. It's OK to introduce a new store type for MY in LOCAL_MACHINE.

And we have no plan to add other types like ADDRESSBOOK.

Thanks,
Weijun

> On Mar 31, 2022, at 5:16 PM, Mat Carter <Matthew.Carter at microsoft.com> wrote:
> 
> Current support for KeyStores on Windows is limited to the current user location [1]
> 
> There has been previous request for local machine support [2] along with discussion in the security-dev mailing list [3], further discussions have occurred on stackoverflow in the past [4] and [5]
> 
> Using JNI you can access local machine locations but then you are duplicating much of the existing native functionality; this also adds the requirement that developers need to know C/C++ and the Windows cryptography API.
> 
> Given the above I propose that we add native support for local machine KeyStore locations
> 
> Users can currently access two physical key stores (in the current user location):
> 
> "Windows-MY": .Default
> "Windows-ROOT": .Default.LocalMachine, .SmartCard
> 
> Adding the local machine location opens up access to a further two physical key stores …
> 
> "Windows-MY": .Default
> "Windows-ROOT": .Default.AuthRoot, .GroupPolicy, .Enterprise, .SmartCard
> 
> Please let me know if there are any existing efforts to bring this functionality to Java, or references to prior decisions on this subject
> 
> Thanks in advance
> Mat Carter
> 
> [1] https://docs.microsoft.com/en-us/windows/win32/seccrypto/system-store-locations
> [2] https://bugs.openjdk.java.net/browse/JDK-6782021
> [3] http://mail.openjdk.java.net/pipermail/security-dev/2018-August/017832.html
> [4] https://stackoverflow.com/questions/70200603/accessing-windows-local-machine-certificates-from-a-windows-service-written-in-j
> [5] https://stackoverflow.com/questions/3612962/access-local-machine-certificate-store-in-java
> 
> 
> Sent from Outlook

More information about the security-dev mailing list