Read only KeyStores?
Mat Carter
Matthew.Carter at microsoft.com
Thu Jun 1 00:59:37 UTC 2023
Currently on Windows to access the local machine KeyStores (Windows-MY-LOCALMACHINE and Windows-ROOT-LOCALMACHINE) you need administrator privileges.
To reduce the need to grant admin privileges to Java applications, I'm proposing that we allow the application to access readonly versions of the KeyStores.
I'm considering this feature mainly for Windows but am open to general support.
However, when looking at how to do this I see two obvious options, but am asking for other options that may fit the API better
1. Simply duplicate the service strings and append "-READONLY".
2. Get the Provider.Service instance and construct a new KeyStore with a parameter to indicate readonly access.
Personally, I'm not fond of (1) as its parameterizing the KeyStore string [I already did this with "-LOCALMACHINE"].
However, (2) won't work as the KeyStore constructor (KeyStoreSpi, Provider, String type) is protected
Is it possible to change the protection on the constructor, or provide a new constructor? (given that the String type is redundant as it should always be "KeyStore")
Any thoughts/concerns about this ?
Cheers
Mat
Sent from Outlook<http://aka.ms/weboutlook>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20230601/a0a132df/attachment.htm>
More information about the security-dev
mailing list