JDK-8133634 ava gets SunMSCAPI entry as TrustedCertificateEntry instead of PrivateKeyEntry

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

JDK-8133634 ava gets SunMSCAPI entry as TrustedCertificateEntry instead of PrivateKeyEntry

Bernd Eckenfels-4

regarding the Bug https://bugs.openjdk.java.net/browse/JDK-8133634 (assigned to Vincent) I can help.

When importing the P12 container on a recent Windows it gets by default imported under a CSP provider from the CNG API and not in CAPI legacy store:

Import CLI or certmgr.msc (exportable or not):

certutil.exe -user -f -v -importpfx "ACA PF Administrativo Activo.p12"

Consequently it does not show up as having a key in the Windows KeyStore implementation:

> keytool -list -storetype Windows-MY
EA=[hidden email], .... trustedCertEntry,
Zertifikat-Fingerprint (SHA1): 89:69:78:75:52:6A:DB:01:9B:95:42:63:19:E3:00:9E:60:5E:1D:EF

You can verify the cryptographic provider used with the Windows tool:

certutil.exe -store -user my

It will list the certificate and mention "Microsoft Base Crytographic Provider 1.0"

If the P12 is deleted and re-imported with the following command the key will show up in the legacy keystore:

$ certutil -csp “Microsoft Strong Cryptographic Provider” -user -f -v -importpfx "ACA PF Administrativo Activo.p12"
Das Zertifikat "EA=[hidden email], ..." wurde zum Speicher hinzugefügt.

Again certutil shows us the (better) provider:

CertUtil.exe -store -user my
my "Eigene Zertifikate"
================ Zertifikat 0 ================
Seriennummer: 659d357f6f05af385114e692393b5bb0
Aussteller: CN=ACA... 
Antragsteller: E=[hidden email], ..
Kein Stammzertifikat
Zertifikathash(sha1): 89 69 78 75 52 6a db 01 9b 95 42 63 19 e3 00 9e 60 5e 1d ef
  Schlüsselcontainer = {0F1CB13E-CA6C-46D0-9C74-25F7B3C780D9}
  Eindeutiger Containername: 512a12f4d213aef6c4cadf5a5efc19cf_74be6a0b-923e-4199-a6c6-b2089f1643c4
  Anbieter = Microsoft Base Cryptographic Provider v1.0

And consequently keytool will list it as a key:

> keytool -list -storetype Windows-MY
EA=[hidden email], CN=NOMBRE..., PrivateKeyEntry,

It is very unfortunate that SunMSCAPI provider uses the old CAPI and not the CNG versions, because the new versions benefit for example from a Commons Criteria certification where the key material in stored in the priveledged KeyIso service, unreachable by the application. (And I guess it would solve a few of the problems with alternative sign formats, with unavailable smartcard stubs etc.

So any idea if we see CNG support any time soon, it is available since Vista.


PS: can somebody extend the JIRA with my research (attribution welcome).