[openjdk/jdk] JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider (PR #8211)

Bernd Eckenfels ecki at zusammenkunft.net
Thu Apr 28 00:19:06 UTC 2022 

Hello,

> Correct, it does enable access to certificates and keys that require next (second) generation,

That’s strange, I am quite sure I tried CNG RSA and EC Keys after OpenJDK claimed to support it. So maybe there is more than one condition to it (or the handle just works transparently regardless of its type?)

Gruss
Bernd
--
http://bernd.eckenfels.net
________________________________
Von: Mat Carter <notifications at github.com>
Gesendet: Wednesday, April 27, 2022 11:41:45 PM
An: openjdk/jdk <jdk at noreply.github.com>
Cc: Bernd <ecki at zusammenkunft.net>; Comment <comment at noreply.github.com>
Betreff: Re: [openjdk/jdk] JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider (PR #8211)


@macarte commented on this pull request.

________________________________

In src/jdk.crypto.mscapi/windows/native/libsunmscapi/security.cpp<https://github.com/openjdk/jdk/pull/8211#discussion_r860267003>:

> @@ -469,7 +484,7 @@ JNIEXPORT void JNICALL Java_sun_security_mscapi_CKeyStore_loadKeysOrCertificateC
             PP("--------------------------");
             // Check if private key available - client authentication certificate
             // must have private key available.
-            HCRYPTPROV hCryptProv = NULL;
+            HCRYPTPROV_OR_NCRYPT_KEY_HANDLE hCryptProv = NULL;


Correct, it does enable access to certificates and keys that require next (second) generation, that were previously inaccessible. I've just realized the implication of this on existing applications and so I'm going to pause and run some test, especially around enumeration

—
Reply to this email directly, view it on GitHub<https://github.com/openjdk/jdk/pull/8211#discussion_r860267003>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AACYHWCQRJFOVR27JENO5A3VHGYBNANCNFSM5TIH5GZQ>.
You are receiving this because you commented.Message ID: <openjdk/jdk/pull/8211/review/955569841 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20220428/67ea7646/attachment.htm>

More information about the security-dev mailing list