RFR: 8313367: SunMSCAPI cannot read Local Computer certs w/o Windows elevation [v4]
Weijun Wang
weijun at openjdk.org
Wed Apr 3 21:57:12 UTC 2024
On Fri, 22 Mar 2024 22:25:47 GMT, rebarbora-mckvak <duke at openjdk.org> wrote:
>> This fixes the defect described at https://bugs.openjdk.org/browse/JDK-8313367
>>
>> If the process does not have write permissions, the store is opened as read-only (instead of failing).
>>
>> Please note that permissions to use a certificate in a local machine store must be granted - in a management console, select a certificate, right-click -> All tasks... -> Manage Private Keys... -> add Full control to user.
>
> rebarbora-mckvak has updated the pull request incrementally with one additional commit since the last revision:
>
> 8313367: signHash looks for a key in either user or machine store
When UAC is enabled and there is no privilege, I can see that some private key entries (Ex: the one for iis) become trusted certificate entries, which means their private key is not observable. Have you noticed something similar? Are you OK with them shown as trusted certificate entries?
-------------
PR Comment: https://git.openjdk.org/jdk/pull/16687#issuecomment-2035666757
More information about the security-dev
mailing list