Quantcast

JDK-8133634 ava gets SunMSCAPI entry as TrustedCertificateEntry instead of PrivateKeyEntry

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

JDK-8133634 ava gets SunMSCAPI entry as TrustedCertificateEntry instead of PrivateKeyEntry

Bernd Eckenfels-4
Hello,

regarding the Bug https://bugs.openjdk.java.net/browse/JDK-8133634 (assigned to Vincent) I can help.

When importing the P12 container on a recent Windows it gets by default imported under a CSP provider from the CNG API and not in CAPI legacy store:

Import CLI or certmgr.msc (exportable or not):

certutil.exe -user -f -v -importpfx "ACA PF Administrativo Activo.p12"

Consequently it does not show up as having a key in the Windows KeyStore implementation:

> keytool -list -storetype Windows-MY
...
EA=[hidden email], .... trustedCertEntry,
Zertifikat-Fingerprint (SHA1): 89:69:78:75:52:6A:DB:01:9B:95:42:63:19:E3:00:9E:60:5E:1D:EF


You can verify the cryptographic provider used with the Windows tool:

certutil.exe -store -user my

It will list the certificate and mention "Microsoft Base Crytographic Provider 1.0"

If the P12 is deleted and re-imported with the following command the key will show up in the legacy keystore:

$ certutil -csp “Microsoft Strong Cryptographic Provider” -user -f -v -importpfx "ACA PF Administrativo Activo.p12"
... 
Das Zertifikat "EA=[hidden email], ..." wurde zum Speicher hinzugefügt.


Again certutil shows us the (better) provider:


CertUtil.exe -store -user my
my "Eigene Zertifikate"
================ Zertifikat 0 ================
Seriennummer: 659d357f6f05af385114e692393b5bb0
Aussteller: CN=ACA... 
Antragsteller: E=[hidden email], ..
Kein Stammzertifikat
Zertifikathash(sha1): 89 69 78 75 52 6a db 01 9b 95 42 63 19 e3 00 9e 60 5e 1d ef
  Schlüsselcontainer = {0F1CB13E-CA6C-46D0-9C74-25F7B3C780D9}
  Eindeutiger Containername: 512a12f4d213aef6c4cadf5a5efc19cf_74be6a0b-923e-4199-a6c6-b2089f1643c4
  Anbieter = Microsoft Base Cryptographic Provider v1.0

And consequently keytool will list it as a key:


> keytool -list -storetype Windows-MY
...
EA=[hidden email], CN=NOMBRE..., PrivateKeyEntry,
...

It is very unfortunate that SunMSCAPI provider uses the old CAPI and not the CNG versions, because the new versions benefit for example from a Commons Criteria certification where the key material in stored in the priveledged KeyIso service, unreachable by the application. (And I guess it would solve a few of the problems with alternative sign formats, with unavailable smartcard stubs etc.

So any idea if we see CNG support any time soon, it is available since Vista.

Gruss
Bernd

PS: can somebody extend the JIRA with my research (attribution welcome).
 
Loading...