RFR: 8313367: SunMSCAPI cannot read Local Computer certs w/o Windows elevation [v4]

MustavData duke at openjdk.org
Fri Apr 19 18:54:04 UTC 2024 

On Thu, 11 Apr 2024 13:04:06 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>>> But because of user privilege missing, the private key is not available and it shows as a certificate entry.
>> 
>> You can have applications that need a certificate (public key) only e.g. to verify signatures. This way you can use the same entry by both types of applications.
>
> @rebarbora-mckvak Can you please update [this test](https://github.com/openjdk/jdk/blob/master/test/jdk/sun/security/mscapi/AllTypes.java)? There is no need for the `hasAdminPrivileges` flag now.

@wangweij , your [comment on JDK-8313367](https://bugs.openjdk.org/browse/JDK-8313367?focusedId=14664542&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-14664542) indicates you are unable to request a Windows system including a secured user.   If all your Windows systems are configured with a single user requiring Administrators group membership, here are some options to get you unblocked:

1. Request a new domain user account for a role, versus a person.  Sometimes this is referred to as a service account.   Then grant that user "Standard User" (_Not Administrator_) access to the Windows test system via the Control Panel's "Give other users access to this computer" (a.k.a. the "Advanced User Account Control Panel") dialog.  You can also modify the service user's group memberships via that dialog's Advanced tab (_do not add an Administrator's group membership_).  Once configured, login as,  or [switch accounts to](https://support.microsoft.com/en-us/windows/how-to-switch-users-accounts-in-windows-660d4dcd-fa8d-7467-10b3-fee0e70e11d4), this service user to perform secure environment testing.
2. Spawn the test's process as the single user w/o Administrators group privilege via the [RunAs.exe command included on all Windows systems](https://en.wikipedia.org/wiki/Runas) . 
3. Spawn the test's process as the single user w/o Administrators group privilege using [PsExecs.exe command included with downloadable SysInternals commands](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec).

For option 2 on Windows 10 or Windows Server:
`runas /trustlevel:0x20000 "<command line>"`
For option 2 on Windows 11:
`runas  /machine:amd64 /trustlevel:0x20000 "<command line>"`
For option 3 on any Windows OS:
`PsExec "-l <command line>"`

Tips:

- Try option 2 or 3 with `cmd` or `powershell` as the command line.  The resulting window title will explain the granted access privilege.
- Option 2 on Windows 11 requires the `/machine` option.   "amd64" indicates Intel or AMD processors.   Type `runas /?` for additonal processor types.
- If you need to embed quotes, use a backslash to escape them like `"cmd "<path to bat script>" "script argument"" `.
- You can prove these techniques work by using them to execute the commands in Step 10 of the steps to reproduce.  The jarsigner command should fail with "Access Denied".

-------------

PR Comment: https://git.openjdk.org/jdk/pull/16687#issuecomment-2067118196

More information about the security-dev mailing list