JDK-8133634 ava gets SunMSCAPI entry as TrustedCertificateEntry instead of PrivateKeyEntry (original) (raw)
Bernd ecki at zusammenkunft.net
Wed Mar 1 23:43:17 UTC 2017
- Previous message (by thread): RFR 8175846: Provide javadoc descriptions for jdk.policytool and jdk.crypto.* modules
- Next message (by thread): RFR 8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
regarding the Bug https://bugs.openjdk.java.net/browse/JDK-8133634 (assigned to Vincent) I can help.
When importing the P12 container on a recent Windows it gets by default imported under a CSP provider from the CNG API and not in CAPI legacy store:
Import CLI or certmgr.msc (exportable or not):
certutil.exe -user -f -v -importpfx "ACA PF Administrativo Activo.p12"
Consequently it does not show up as having a key in the Windows KeyStore implementation:
keytool -list -storetype Windows-MY ... EA=demo.empleado at cgae.redabogacia.org, .... trustedCertEntry, Zertifikat-Fingerprint (SHA1): 89:69:78:75:52:6A:DB:01:9B:95:42:63:19:E3:00:9E:60:5E:1D:EF
You can verify the cryptographic provider used with the Windows tool:
certutil.exe -store -user my
It will list the certificate and mention "Microsoft Base Crytographic Provider 1.0"
If the P12 is deleted and re-imported with the following command the key will show up in the legacy keystore:
$ certutil -csp “Microsoft Strong Cryptographic Provider” -user -f -v
-importpfx "ACA PF Administrativo Activo.p12" ...
Das Zertifikat "EA=demo.empleado at cgae.redabogacia.org, ..." wurde zum
Speicher hinzugefügt.
Again certutil shows us the (better) provider:
CertUtil.exe -store -user my
my "Eigene Zertifikate" ================ Zertifikat 0 ================ Seriennummer: 659d357f6f05af385114e692393b5bb0 Aussteller: CN=ACA...
Antragsteller: E=demo.empleado at cgae.redabogacia.org, ..
Kein Stammzertifikat Zertifikathash(sha1): 89 69 78 75 52 6a db 01 9b 95 42 63 19 e3 00 9e 60 5e 1d ef Schlüsselcontainer = {0F1CB13E-CA6C-46D0-9C74-25F7B3C780D9} Eindeutiger Containername: 512a12f4d213aef6c4cadf5a5efc19cf74be6a0b-923e-4199-a6c6-b2089f1643c4 Anbieter = Microsoft Base Cryptographic Provider v1.0
And consequently keytool will list it as a key:
keytool -list -storetype Windows-MY ... EA=demo.empleado at cgae.redabogacia.org, CN=NOMBRE..., PrivateKeyEntry, ...
It is very unfortunate that SunMSCAPI provider uses the old CAPI and not the CNG versions, because the new versions benefit for example from a Commons Criteria certification where the key material in stored in the priveledged KeyIso service, unreachable by the application. (And I guess it would solve a few of the problems with alternative sign formats, with unavailable smartcard stubs etc.
So any idea if we see CNG support any time soon, it is available since Vista.
Gruss Bernd
PS: can somebody extend the JIRA with my research (attribution welcome). -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20170302/7dd24b0a/attachment.htm>
- Previous message (by thread): RFR 8175846: Provide javadoc descriptions for jdk.policytool and jdk.crypto.* modules
- Next message (by thread): RFR 8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]