RFR: 8313367: SunMSCAPI cannot read Local Computer certs w/o Windows elevation [v4]
Weijun Wang
weijun at openjdk.org
Tue Apr 9 13:50:16 UTC 2024
On Fri, 22 Mar 2024 22:25:47 GMT, rebarbora-mckvak <duke at openjdk.org> wrote:
>> This fixes the defect described at https://bugs.openjdk.org/browse/JDK-8313367
>>
>> If the process does not have write permissions, the store is opened as read-only (instead of failing).
>>
>> Please note that permissions to use a certificate in a local machine store must be granted - in a management console, select a certificate, right-click -> All tasks... -> Manage Private Keys... -> add Full control to user.
>
> rebarbora-mckvak has updated the pull request incrementally with one additional commit since the last revision:
>
> 8313367: signHash looks for a key in either user or machine store
Yes it's self signed one.
No it's not added to any other keystore. When I said "TrustedCertificateEntry" it's only because in a Java KeyStore an entry with only a certificate is called a TrustedCertificateEntry.
So my concern is that inside Windows-MY-LOCALMACHINE, this entry actually contains a private key. But because of user privilege missing, the private key is not available and it shows as a certificate entry.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/16687#issuecomment-2045221778
More information about the security-dev
mailing list