RFR: 8313367: SunMSCAPI cannot read Local Computer certs w/o Windows elevation
rebarbora-mckvak
duke at openjdk.org
Wed Jan 17 15:37:51 UTC 2024
On Tue, 19 Dec 2023 11:52:01 GMT, rebarbora-mckvak <duke at openjdk.org> wrote:
>> This fixes the defect described at https://bugs.openjdk.org/browse/JDK-8313367
>>
>> If the process does not have write permissions, the store is opened as read-only (instead of failing).
>>
>> Please note that permissions to use a certificate in a local machine store must be granted - in a management console, select a certificate, right-click -> All tasks... -> Manage Private Keys... -> add Full control to user.
>
> This is a very trivial change fixing rather annoying bug. Can someone review it and let it merge?
> @rebarbora-mckvak - what testing was done with an elevated user opening a keystore with (CERT_STORE_MAXIMUM_ALLOWED_FLAG) and then attempting write-operations on the keystore?
I have not tested any write operations yet. My use case has always been: administrators put private keys in the store and give a service (my java app) permissions to use it e.g. to sign data.
> Also, when a keystore is read-only. What happens when one tries to write into it? Ideally a `KeyStoreException` should be thrown with a clear and precise message.
I guess you get the same "Access denied" error now as before.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/16687#issuecomment-1896062532
More information about the security-dev
mailing list