RFR: 8313367: SunMSCAPI cannot read Local Computer certs w/o Windows elevation
Mat Carter
macarte at openjdk.org
Wed Mar 13 17:02:16 UTC 2024
On Thu, 16 Nov 2023 12:06:26 GMT, rebarbora-mckvak <duke at openjdk.org> wrote:
> This fixes the defect described at https://bugs.openjdk.org/browse/JDK-8313367
>
> If the process does not have write permissions, the store is opened as read-only (instead of failing).
>
> Please note that permissions to use a certificate in a local machine store must be granted - in a management console, select a certificate, right-click -> All tasks... -> Manage Private Keys... -> add Full control to user.
I welcome your contribution and feel that it will be a worthwhile improvement; and I'm happy to give feedback (and have done already), but as an author I'm not able to sponsor this change.
The original enhancement has gone through a review process and has not had any security related bugs raised against it. The scenario this change targets is a valid one, but is not a security vulnerability as the original enhancement does not circumvent security. The choice to deploy to a less-secure environment to use the feature is a user choice.
While the change in this PR is trivial, it is still classed as an enhancement as it's not addressing a bug; ie. the original change functions as expected. That you have identified a scenario and supplied a patch is much appreciated; however the change will need to go through review as it changes functionality; again we'll need to consider informing the user as the change could lead to unexpected deployment issues (it may also require documentation changes [CSR]).
-------------
PR Comment: https://git.openjdk.org/jdk/pull/16687#issuecomment-1994991109
More information about the security-dev
mailing list