RFR: 8313367: SunMSCAPI cannot read Local Computer certs w/o Windows elevation [v5]
rebarbora-mckvak
duke at openjdk.org
Mon Sep 16 21:08:29 UTC 2024
On Wed, 10 Apr 2024 21:10:16 GMT, rebarbora-mckvak <duke at openjdk.org> wrote:
>> This fixes the defect described at https://bugs.openjdk.org/browse/JDK-8313367
>>
>> If the process does not have write permissions, the store is opened as read-only (instead of failing).
>>
>> Please note that permissions to use a certificate in a local machine store must be granted - in a management console, select a certificate, right-click -> All tasks... -> Manage Private Keys... -> add Full control to user.
>
> rebarbora-mckvak has updated the pull request incrementally with one additional commit since the last revision:
>
> 8313367: copyright updated
Release note:
Summary: SunMSCAPI Provider Opens the Windows Local Computer Key Store in Read-Only Mode in Non-Elevated Processes
Description:
The Local Computer key store is accessed using the CERT_STORE_MAXIMUM_ALLOWED_FLAG. Since this store is typically managed by administrators for security reasons, processes are only given read-only access to specific private keys. By opening the store in read-only mode, non-elevated processes can now securely use these keys without requiring elevated permissions.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/16687#issuecomment-2354033793
More information about the security-dev
mailing list