<div dir="ltr">Hi,<div><br></div><div>I had another look at this (using certificates and private keys from the LOCAL_MACHINE certificate store) yesterday and made another small discovery; in addition to passing the <span style="color:rgb(33,33,33)">CERT_STORE_READONLY_FLAG to </span><span style="color:rgb(33,33,33)">CertOpenStore(), it's also important to pass CRYPT_MACHINE_KEYSET in the 'dwFlags' parameter to CryptAquireContext()[1] if the referenced key is provided by the LOCAL_MACHINE certificate store or else you'll get a NTE_BAD_KEYSET ("Keyset does not exist") error. I've updated my wcsa[2] utility to account for this.</span></div><div><span style="color:rgb(33,33,33)"><br></span></div><div><span style="color:rgb(33,33,33)">FYI: If anyone wants to take a stab at modifying the underlying libsunmscapi provided by OpenJDK to enable accessing of certificates and keys in the LOCAL_MACHINE certificate store, you might find my sunmscapi-build-helper[3] useful, as it enables building the sunmscapi.dll (with debug symbols) in isolation without having to build the entire OpenJDK.</span></div><div><span style="color:rgb(33,33,33)"><br></span></div><div><span style="color:rgb(33,33,33)">References:</span></div><div><span style="color:rgb(33,33,33)">[1] </span><font color="#212121"><a href="https://docs.microsoft.com/en-us/windows/desktop/api/wincrypt/nf-wincrypt-cryptacquirecontexta">https://docs.microsoft.com/en-us/windows/desktop/api/wincrypt/nf-wincrypt-cryptacquirecontexta</a></font></div><div><font color="#212121">[2] <a href="https://github.com/oddbjornkvalsund/wcsa">https://github.com/oddbjornkvalsund/wcsa</a></font></div><div><font color="#212121">[3] <a href="https://github.com/oddbjornkvalsund/sunmscapi-build-helper">https://github.com/oddbjornkvalsund/sunmscapi-build-helper</a></font></div><div><font color="#212121"><br></font></div><div><font color="#212121">Best regards,</font></div><div><font color="#212121">Oddbjørn Kvalsund</font></div></div><br><div class="gmail_quote"><div dir="ltr">ons. 8. aug. 2018 kl. 23:19 skrev Oddbjørn Kvalsund <<a href="mailto:oddbjornkvalsund@gmail.com">oddbjornkvalsund@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks for the input, Bernd and Sean! I'm afraid submitting a patch for this directly is a bit beyond my ability, but I'll happily discuss the design of such a patch.<div><br></div><div>Nelson D'Costa proposed a couple of possible solutions in JDK-6782021:<div><div><br></div><div><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">> Either define a new store type like Windows-LOCALCOMPUTER,</span><br style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px"><span style="color:rgb(51,51,51);font-family:Arial,sans-serif;font-size:14px">> or also list the computer local certificates when using the Windows-MY store type.</span><br><div><br></div>My rudimentary understanding of the Windows certificate store architecture after reading [1] is that Windows comes with a predefined set of "collection stores" that can be opened with the WinCrypt function CertOpenStore() using identifier tuples such as CERT_SYSTEM_STORE_CURRENT_USER+MY, CERT_SYSTEM_STORE_LOCAL_MACHINE+CA etc. and that these collection stores aggregate a set of "physical stores", typically in the Windows registry. This model is thoroughly documented in [1] (although complex), but mapping this identifier scheme to something that can be used by JCA and KeyStore.getInstance(<identifier>) is slightly tricky because of at least two concerns:</div><div><br></div><div>1) The SunMSCAPI JCA provider is widely used and although its "Windows-MY" certificate store identifier scheme is flawed (it should have been something like "Windows-CurrentUser-MY") we can't easily change it without breaking things.</div>2) Opening any certificate stores involving the CERT_SYSTEM_STORE_LOCAL_MACHINE identifier (and most likely other identifiers) requires administrator privileges or specifically opening the store as read-only by passing CERT_STORE_READONLY_FLAG to CertOpenStore [2].<div><br></div><div>To offer the full flexibility of CertOpenStore() through KeyStore.getInstance() seems like a grand undertaking involving an almost infinite number of magic string identifiers, so my suggestion is as follows:</div><div><br></div><div>1) Introduce the new identifiers Windows-CurrentUser-MY, Windows-CurrentUser-ROOT, Windows-LocalMachine-MY and Windows-LocalMachine-ROOT. These seem to be the most requested, but the identifier scheme allows for more esoteric additions such as Windows-Services-<ServiceName>-MY down the line.</div><div>2) Make Windows-MY and Windows-ROOT be aliases for Windows-CurrentUser-MY and Windows-CurrentUser-ROOT to maintain backward compatibility.</div><div>3) Attempt to open Windows-LocalMachine-MY and Windows-LocalMachine-ROOT in the default read-write mode, but fallback to read-only if read-write mode fails. This will transparently enable write operations for privileged users, while unprivileged users will get an exception when attempting to write to the store.</div><div><br></div><div><div>References:</div><div>[1] <a href="https://docs.microsoft.com/en-us/windows/desktop/seccrypto/system-store-locations" target="_blank">https://docs.microsoft.com/en-us/windows/desktop/seccrypto/system-store-locations</a></div><div>[2] <a href="https://docs.microsoft.com/en-us/windows/desktop/api/wincrypt/nf-wincrypt-certopenstore" target="_blank">https://docs.microsoft.com/en-us/windows/desktop/api/wincrypt/nf-wincrypt-certopenstore</a></div><div><br></div><div>Best regards,</div><div>Oddbjørn Kvalsund</div></div></div></div></div><div dir="ltr"><br><div class="gmail_quote"><div dir="ltr">ons. 8. aug. 2018 kl. 14:04 skrev Bernd Eckenfels <<a href="mailto:ecki@zusammenkunft.net" target="_blank">ecki@zusammenkunft.net</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>
<div>
<div>
<div style="direction:ltr">Hello,</div>
<div><br>
</div>
<div style="direction:ltr">What also should be mentioned is that the old CAPI clients cannot access CNG Keys. Which is especially a pity since only the new keys benefit from the cryptographic process isolation (not to mention the confusion that it’s hard
to see which provide hosts them)</div>
<div><br>
</div>
<div style="direction:ltr">Gruss</div>
<div style="direction:ltr">Bernd</div>
</div>
<div><br>
</div>
<div class="m_-2960464672047252325m_7188480104390137117m_327476034975819420ms-outlook-ios-signature">
<div style="direction:ltr">Gruss</div>
<div style="direction:ltr">Bernd</div>
<div style="direction:ltr">-- </div>
<div style="direction:ltr"><a href="http://bernd.eckenfels.net" target="_blank">http://bernd.eckenfels.net</a></div>
</div>
</div>
<div> </div>
<hr style="display:inline-block;width:98%">
<div id="m_-2960464672047252325m_7188480104390137117m_327476034975819420divRplyFwdMsg" dir="dir="ltr""><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>Von:</b> -980814368m Auftrag von
<br>
<b>Gesendet:</b> Mittwoch, August 8, 2018 12:35 PM<br>
<b>An:</b> Oddbjørn Kvalsund; <a href="mailto:security-dev@openjdk.java.net" target="_blank">security-dev@openjdk.java.net</a><br>
<b>Betreff:</b> Re: JDK-6782021
<div> </div>
</font></div></div></div><div><div>
Vinnie is not working on security-libs any more and I think the JBS report should be marked as unassigned. If any contributors want to suggest a patch, then I think it can be reviewed on this list!<br>
<br>
regards,<br>
Sean.<br>
<br>
<div class="m_-2960464672047252325m_7188480104390137117m_327476034975819420moz-cite-prefix">On 07/08/2018 06:36, Oddbjørn Kvalsund wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr"><span style="color:rgb(33,33,33);font-size:13px">Hi,</span>
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">I was just bit by this issue <a href="https://bugs.openjdk.java.net/browse/JDK-6782021" target="_blank">[JDK-6782021] It is not possible to read local computer certificates with the SunMSCAPI provider</a> and
from StackOverflow I notice that several other people (see [1][2][3]) have come across the same problem. Coming up on the 10th anniversary for this issue; any chance we'll see some love for it? Or at least a comment on the issue on what timeline to expect
and a list of workaround/alternative solutions for the meantime?</div>
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">Background: I'm working with a company having primarily Microsoft infrastructure and they have a routine where all Windows servers automatically receive new certificates/keys when the old ones expire. These certificates
are installed in the "Local Computer → Private" certificate store. They're quite fond of this system and hesitant to diverge from it, so my preferred option is to just "get with the program". To temporarily get around JDK-6782021 I created a small utility
[5] that intercepts the JDKs call to 'CertOpenSystemStore' [4] and presents a read-only virtual certificate store combining all certificates and keys from the "Current User" and "Local Computer" certificate stores, but this may have unexpected implications
that I've not yet uncovered, so I'd much prefer not having to do this. A more thorough solution would be to use the commercial Pheox JCAPI [6] product, but this is rather expensive and way overkill for what I (and most others, it seems) need.</div>
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">References:</div>
<div style="color:rgb(33,33,33);font-size:13px">[1] <a href="https://stackoverflow.com/questions/3612962/access-local-machine-certificate-store-in-java/51708360" target="_blank">https://stackoverflow.com/questions/3612962/access-local-machine-certificate-store-in-java/51708360</a><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">[2] <a href="https://stackoverflow.com/questions/51205158/access-windows-local-machine-personal-keystore-with-java-sunmscapi" target="_blank">https://stackoverflow.com/questions/51205158/access-windows-local-machine-personal-keystore-with-java-sunmscapi</a></div>
<div style="color:rgb(33,33,33);font-size:13px">[3] <a href="https://stackoverflow.com/questions/51193143/use-jna-to-get-local-machine-certificate" target="_blank">https://stackoverflow.com/questions/51193143/use-jna-to-get-local-machine-certificate</a></div>
<div style="color:rgb(33,33,33);font-size:13px">[4] <a href="http://hg.openjdk.java.net/jdk/jdk/file/tip/src/jdk.crypto.mscapi/windows/native/libsunmscapi/security.cpp" target="_blank">http://hg.openjdk.java.net/jdk/jdk/file/tip/src/jdk.crypto.mscapi/windows/native/libsunmscapi/security.cpp</a></div>
<div style="color:rgb(33,33,33);font-size:13px">[5] <a href="https://github.com/oddbjornkvalsund/wcsa" target="_blank">https://github.com/oddbjornkvalsund/wcsa</a></div>
<div style="color:rgb(33,33,33);font-size:13px">[6] <a href="https://pheox.com/products/jcapi/" target="_blank">https://pheox.com/products/jcapi/</a></div>
<div style="color:rgb(33,33,33);font-size:13px"><br>
</div>
<div style="color:rgb(33,33,33);font-size:13px">Best regards,</div>
<div style="color:rgb(33,33,33);font-size:13px">Oddbjørn Kvalsund</div>
</div>
</blockquote>
<br>
</div></div></blockquote></div></div></blockquote></div>