RFR: 8313367: SunMSCAPI cannot read Local Computer certs w/o Windows elevation

[Weijun Wang]

On Fri, 22 Mar 2024 18:43:11 GMT, MustavData <duke at openjdk.org> wrote:

>> I also noticed a different problem. No matter if privileged or unprivileged, `keytool -genkeypair -storetype Windows-My-LOCALMACHINE` works successfully but the entries are actually created in Windows-MY-CURRENTUSER. This is unrelated to this code change and I filed https://bugs.openjdk.org/browse/JDK-8328184.
>
> @wangweij - Regarding your test environment issues:
> 
> Your Windows 2016 systems needs its UAC enabled.   Here is an MS Community remedy for that:
> [cmd.exe always runs as Administrator, how do I make it stop?](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwiT4bLQrIiFAxW0M1kFHQTrCVMQrAIoAHoECDkQAQ&url=https%3A%2F%2Fanswers.microsoft.com%2Fen-us%2Fwindows%2Fforum%2Fall%2Fcmdexe-always-runs-as-administrator-how-do-i-make%2F63ac20c1-f1a3-4876-8199-cc02c6a5725d&usg=AOvVaw0nipY6czBotcTThwVvaWjv&opi=89978449)
> 
> With UAC enabled, you can switch between your user and administrator roles as a developer would.  In a secured production environment, by contrast, that is not allowed.    Instead, roles are performed by separate users who are assigned the minimum accesses required due to their respective roles.   The primary end user is a build engineer or automated process (_This is like the "java app" described in the Jan 17 reply by @rebarbora-mckvak ._) responsible for writing a code signature to a local file.  And, since that user would never create or install the local code signing certificate, read-only access is assigned.
> 
> -------
> The unexpected signtool error for Step 2 is likely caused by using signtool's "/i" option to locate the certificate in the Windows keystore.   For repeatability across configurations, you should instead use the "/sha1" option which takes the code signing certificate's thumbprint value as an argument.   To retrieve the thumbprint:
> 
> 1. Run the elevated MMC as before and navigate to "Local Computer / Personal / Certificates".
> 2. Double click the certificte, and click the Details tab.
> 3. Scroll to the bottom and click the Thumbprint field.
> 4. Copy the Thumbprint string that appears in the client area (a long hex string).
> 5. Paste it to your command line or script.

Sorry for the delay. I'm now able to let my cmd.exe working in unprivileged mode. Thanks @MustavData for the guidance. Also, thanks @rebarbora-mckvak for the new commit. This makes sense now. I'll try your code change in my new testing environment.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/16687#issuecomment-2035524159