Vinnie is not working on security-libs any more and I think the JBS
report should be marked as unassigned. If any contributors want to
suggest a patch, then I think it can be reviewed on this list!
regards,
Sean.
On 07/08/2018 06:36, Oddbjørn Kvalsund wrote:
Hi,
I was just bit by this issue [JDK-6782021] It is not possible to read
local computer certificates with the SunMSCAPI provider
<https://bugs.openjdk.java.net/browse/JDK-6782021> and from
StackOverflow I notice that several other people (see [1][2][3]) have
come across the same problem. Coming up on the 10th anniversary for
this issue; any chance we'll see some love for it? Or at least a
comment on the issue on what timeline to expect and a list of
workaround/alternative solutions for the meantime?
Background: I'm working with a company having primarily Microsoft
infrastructure and they have a routine where all Windows servers
automatically receive new certificates/keys when the old ones expire.
These certificates are installed in the "Local Computer → Private"
certificate store. They're quite fond of this system and hesitant to
diverge from it, so my preferred option is to just "get with the
program". To temporarily get around JDK-6782021 I created a small
utility [5] that intercepts the JDKs call to 'CertOpenSystemStore' [4]
and presents a read-only virtual certificate store combining all
certificates and keys from the "Current User" and "Local Computer"
certificate stores, but this may have unexpected implications that
I've not yet uncovered, so I'd much prefer not having to do this. A
more thorough solution would be to use the commercial Pheox JCAPI [6]
product, but this is rather expensive and way overkill for what I (and
most others, it seems) need.
References:
[1]
https://stackoverflow.com/questions/3612962/access-local-machine-certificate-store-in-java/51708360
[2]
https://stackoverflow.com/questions/51205158/access-windows-local-machine-personal-keystore-with-java-sunmscapi
[3]
https://stackoverflow.com/questions/51193143/use-jna-to-get-local-machine-certificate
[4]
http://hg.openjdk.java.net/jdk/jdk/file/tip/src/jdk.crypto.mscapi/windows/native/libsunmscapi/security.cpp
[5] https://github.com/oddbjornkvalsund/wcsa
[6] https://pheox.com/products/jcapi/
Best regards,
Oddbjørn Kvalsund