RFR: JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider
Markus KARG
duke at openjdk.java.net
Fri Apr 15 07:29:50 UTC 2022
On Tue, 12 Apr 2022 19:03:40 GMT, Mat Carter <duke at openjdk.java.net> wrote:
> On Windows you can now access the local machine keystores using the strings "Windows-MY-LOCALMACHINE" and "Windows-ROOT-LOCALMACHINE"; note the application requires admin privileges.
>
> "Windows-MY" and "Windows-ROOT" remain unchanged, however given these original keystore strings mapped to the current user, I added "Windows-MY-CURRENTUSER" and "Windows-ROOT-CURRENTUSER" so that a developer can explicitly specify the current user location. These two new strings simply map to the original two strings, i.e. no duplication of code paths etc
>
> No new tests added, keystore functionality and API remains unchanged, the local machine keystore types would require the tests to run in admin mode
>
> Tested on windows, passes tier1 and tier2 tests
Actually the Windows API is using a reverse naming system, so I would propose the following changes:
* MY and ROOT become marked as deprecated in both, the source code and all documentation, so in future there won't be any confusion anymore what store these actually do access.
* Following the Windows naming system and make the syntax more logical, I propose the new store names are `Windows:LOCALMACHINE/MY` , `Windows:LOCALMACHINE/ROOT`, `Windows:CURRENTUSER/MY` and `Windows:CURRENTUSER/ROOT`. The colon is commonly well-understood as a separator between schemes and names, and the slash is commonly understood as a path separator. So this new syntax makes usage much cleaner.
-------------
PR: https://git.openjdk.java.net/jdk/pull/8211
More information about the security-dev
mailing list