Proposal: Extend Windows KeyStore support to include access to the local machine location

Mat Carter Matthew.Carter at microsoft.com
Thu Mar 31 21:16:47 UTC 2022


Current support for KeyStores on Windows is limited to the current user location [1]
 
There has been previous request for local machine support [2] along with discussion in the security-dev mailing list [3], further discussions have occurred on stackoverflow in the past [4] and [5]
 
Using JNI you can access local machine locations but then you are duplicating much of the existing native functionality; this also adds the requirement that developers need to know C/C++ and the Windows cryptography API.
 
Given the above I propose that we add native support for local machine KeyStore locations
 
Users can currently access two physical key stores (in the current user location):
 
"Windows-MY": .Default
"Windows-ROOT": .Default.LocalMachine, .SmartCard
  
Adding the local machine location opens up access to a further two physical key stores …
 
"Windows-MY": .Default
"Windows-ROOT": .Default.AuthRoot, .GroupPolicy, .Enterprise, .SmartCard
 
Please let me know if there are any existing efforts to bring this functionality to Java, or references to prior decisions on this subject

Thanks in advance
Mat Carter

[1] https://docs.microsoft.com/en-us/windows/win32/seccrypto/system-store-locations
[2] https://bugs.openjdk.java.net/browse/JDK-6782021
[3] http://mail.openjdk.java.net/pipermail/security-dev/2018-August/017832.html
[4] https://stackoverflow.com/questions/70200603/accessing-windows-local-machine-certificates-from-a-windows-service-written-in-j
[5] https://stackoverflow.com/questions/3612962/access-local-machine-certificate-store-in-java


Sent from Outlook


More information about the security-dev mailing list