<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Vinnie is not working on security-libs any more and I think the JBS
    report should be marked as unassigned.  If any contributors want to
    suggest a patch, then I think it can be reviewed on this list!<br>
    <br>
    regards,<br>
    Sean.<br>
    <br>
    <div class="moz-cite-prefix">On 07/08/2018 06:36, Oddbjørn Kvalsund
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAOhm4woeASChRxceD-dS3sSM83U=-V7-m4UryYNJObyWn44Biw@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=utf-8">
      <div dir="ltr"><span style="color:rgb(33,33,33);font-size:13px">Hi,</span>
        <div style="color:rgb(33,33,33);font-size:13px"><br>
        </div>
        <div style="color:rgb(33,33,33);font-size:13px">I was just bit
          by this issue <a
            href="https://bugs.openjdk.java.net/browse/JDK-6782021"
            target="_blank" moz-do-not-send="true">[JDK-6782021] It is
            not possible to read local computer certificates with the
            SunMSCAPI provider</a> and from StackOverflow I notice that
          several other people (see [1][2][3]) have come across the same
          problem. Coming up on the 10th anniversary for this issue; any
          chance we'll see some love for it? Or at least a comment on
          the issue on what timeline to expect and a list of
          workaround/alternative solutions for the meantime?</div>
        <div style="color:rgb(33,33,33);font-size:13px"><br>
        </div>
        <div style="color:rgb(33,33,33);font-size:13px">Background: I'm
          working with a company having primarily Microsoft
          infrastructure and they have a routine where all Windows
          servers automatically receive new certificates/keys when the
          old ones expire. These certificates are installed in the
          "Local Computer → Private" certificate store. They're quite
          fond of this system and hesitant to diverge from it, so my
          preferred option is to just "get with the program". To
          temporarily get around JDK-6782021 I created a small utility
          [5] that intercepts the JDKs call to 'CertOpenSystemStore' [4]
          and presents a read-only virtual certificate store combining
          all certificates and keys from the "Current User" and "Local
          Computer" certificate stores, but this may have unexpected
          implications that I've not yet uncovered, so I'd much prefer
          not having to do this. A more thorough solution would be to
          use the commercial Pheox JCAPI [6] product, but this is rather
          expensive and way overkill for what I (and most others, it
          seems) need.</div>
        <div style="color:rgb(33,33,33);font-size:13px"><br>
        </div>
        <div style="color:rgb(33,33,33);font-size:13px">References:</div>
        <div style="color:rgb(33,33,33);font-size:13px">[1] <a
href="https://stackoverflow.com/questions/3612962/access-local-machine-certificate-store-in-java/51708360"
            target="_blank" moz-do-not-send="true">https://stackoverflow.com/questions/3612962/access-local-machine-certificate-store-in-java/51708360</a><br>
        </div>
        <div style="color:rgb(33,33,33);font-size:13px">[2] <a
href="https://stackoverflow.com/questions/51205158/access-windows-local-machine-personal-keystore-with-java-sunmscapi"
            target="_blank" moz-do-not-send="true">https://stackoverflow.com/questions/51205158/access-windows-local-machine-personal-keystore-with-java-sunmscapi</a></div>
        <div style="color:rgb(33,33,33);font-size:13px">[3] <a
href="https://stackoverflow.com/questions/51193143/use-jna-to-get-local-machine-certificate"
            target="_blank" moz-do-not-send="true">https://stackoverflow.com/questions/51193143/use-jna-to-get-local-machine-certificate</a></div>
        <div style="color:rgb(33,33,33);font-size:13px">[4] <a
href="http://hg.openjdk.java.net/jdk/jdk/file/tip/src/jdk.crypto.mscapi/windows/native/libsunmscapi/security.cpp"
            target="_blank" moz-do-not-send="true">http://hg.openjdk.java.net/jdk/jdk/file/tip/src/jdk.crypto.mscapi/windows/native/libsunmscapi/security.cpp</a></div>
        <div style="color:rgb(33,33,33);font-size:13px">[5] <a
            href="https://github.com/oddbjornkvalsund/wcsa"
            target="_blank" moz-do-not-send="true">https://github.com/oddbjornkvalsund/wcsa</a></div>
        <div style="color:rgb(33,33,33);font-size:13px">[6] <a
            href="https://pheox.com/products/jcapi/" target="_blank"
            moz-do-not-send="true">https://pheox.com/products/jcapi/</a></div>
        <div style="color:rgb(33,33,33);font-size:13px"><br>
        </div>
        <div style="color:rgb(33,33,33);font-size:13px">Best regards,</div>
        <div style="color:rgb(33,33,33);font-size:13px">Oddbjørn
          Kvalsund</div>
      </div>
    </blockquote>
    <br>
  </body>
</html>