RFR: JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider
Mat Carter
duke at openjdk.java.net
Tue May 3 14:44:12 UTC 2022
On Wed, 27 Apr 2022 21:41:30 GMT, Mat Carter <duke at openjdk.java.net> wrote:
>> Same question. Does a new type name automagically add support for CNG?
>
> Correct, it does enable access to certificates and keys that require next (second) generation cryptographic providers, that were previously inaccessible. I've just realized the implication of this on existing applications and so I'm going to pause and run some test, especially around enumeration
Correction: after looking at wincrypt.h, the documentation [1] and running tests, I can confirm that:
1) this change has no functional impact (i.e. results are unchanged)
2) HCRYPTPROV and HCRYPTPROV_OR_NCRYPT_KEY_HANDLE are both the same type (ULONG_PTR) and so are interchangeable (with the former supporting legacy applications)
3) There is only one function for CryptAcquireCertificatePrivateKey, not two differentiated by this parameter type change
4) support for CNG keys, which was originally thought to be added with this change, has always been true due to the existing use of the flag CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG
I think this change should stay as it more correctly matches the prototype and the use of CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG
[1] https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecertificateprivatekey
-------------
PR: https://git.openjdk.java.net/jdk/pull/8211
More information about the security-dev
mailing list