JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider

[macarte]

On Windows you can now access the local machine keystores using the strings "Windows-MY-LOCALMACHINE" and "Windows-ROOT-LOCALMACHINE"; note the application requires admin privileges.

"Windows-MY" and "Windows-ROOT" remain unchanged, however given these original keystore strings mapped to the current user, I added "Windows-MY-CURRENTUSER" and "Windows-ROOT-CURRENTUSER" so that a developer can explicitly specify the current user location. These two new strings simply map to the original two strings, i.e. no duplication of code paths etc

No new tests added, keystore functionality and API remains unchanged, the local machine keystore types would require the tests to run in admin mode

Tested on windows, passes tier1 and tier2 tests

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change requires a CSR request to be approved
• Change must be properly reviewed (1 review required, with at least 1 reviewer)

Issues

• JDK-6782021: It is not possible to read local computer certificates with the SunMSCAPI provider
• JDK-8284850: It is not possible to read local computer certificates with the SunMSCAPI provider (CSR)

Reviewers

• Weijun Wang (@wangweij - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/8211/head:pull/8211
$ git checkout pull/8211

Update a local copy of the PR:
$ git checkout pull/8211
$ git pull https://git.openjdk.java.net/jdk pull/8211/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 8211

View PR using the GUI difftool:
$ git pr show -t 8211

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/8211.diff

[bridgekeeper]

👋 Welcome back macarte! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@macarte The following label will be automatically applied to this pull request:

• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 05: Full - Incremental (6c1f181b)
• 04: Full - Incremental (985378fb)
• 03: Full - Incremental (c56ce0fd)
• 02: Full - Incremental (5b3d4115)
• 01: Full - Incremental (881bc600)
• 00: Full (86b5ced5)

[wangweij]

Thanks a lot for the quick contribution! I'll definitely be happy to sponsor it.

Since new keystore types are created, this needs a CSR. Go to https://bugs.openjdk.java.net/browse/JDK-6782021, click "More" and at the end there is a "Create CSR". Basically you talk about what these new keystores are and why they are useful. The scope is JDK and I assume the compatibility risk is low. There is no spec change but you can suggest new entries in the "JDK Providers Documentation" (https://docs.oracle.com/en/java/javase/18/security/oracle-providers.html#GUID-4F1737D6-1569-4340-B140-678C70E63CD5). You can also add a label like noreg-other to the bug and add a comment explaining what manual tests can be added, how to run it, and what the expected output is.

[wangweij]

/csr

[openjdk]

@wangweij has indicated that a compatibility and specification (CSR) request is needed for this pull request.
@macarte please create a CSR request for issue JDK-6782021. This pull request cannot be integrated until the CSR request is approved.

[mkarg]

Actually the Windows API is using a reverse naming system, so I would propose the following changes:

• MY and ROOT become marked as deprecated in both, the source code and all documentation, so in future there won't be any confusion anymore what store these actually do access.
• Following the Windows naming system and make the syntax more logical, I propose the new store names are Windows:LOCALMACHINE/MY , Windows:LOCALMACHINE/ROOT, Windows:CURRENTUSER/MY and Windows:CURRENTUSER/ROOT. The colon is commonly well-understood as a separator between schemes and names, and the slash is commonly understood as a path separator. So this new syntax makes usage much cleaner.

[macarte]

Please see draft CSR: https://bugs.openjdk.java.net/browse/JDK-8284850

[wangweij]

The CSR looks fine. It's not necessary to attach a patch there. At least don't name it specdiff because it's not about spec.

BTW, how do you think of the names proposed in #8211 (comment)?

[macarte]

I don't use this API much so I don't really have an opinion as a customer regarding the format of the strings used to identify the key stores. I'd be happy to review a separate PR but I think this falls outside the scope of this PR which specifically targets the inability to access local machine key stores (which a bug has been raised against).

note: there's also a "Windows-PRNG" which isn't a key store but the native random number generator

[wangweij]

@macarte I've added my name as reviewer in the CSR. You can either propose it (if you expect some feedback from the CSR reviewers) or just finalize it (if you think the change is simple and obvious).

[wangweij]

Also, please remove trailing spaces and create a new commit. Skara dislikes trailing spaces and TAB characters in source code.

[macarte]

@wangweij - I believe the change to be simple enough I'll go ahead and finalize it. However, I've proposed updates to the documentation, how are these actioned, i.e. what steps are required of me?

[wangweij]

@wangweij - I believe the change to be simple enough I'll go ahead and finalize it. However, I've proposed updates to the documentation, how are these actioned, i.e. what steps are required of me?

I filed a doc task at https://bugs.openjdk.java.net/browse/JDK-8286141. It will be picked up by the doc team. We will also need to write a release note. If you have any recommended text, you can write here.

[macarte]

Found an issue with my editor where whitespace was not being rendered :( - will check the diff in future

[wangweij]

I'd like to contribute a test. Please modify it as much as you like. You can put it inside test/jdk/sun/security/mscapi/.

/*
 * Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

import jdk.test.lib.Asserts;
import jdk.test.lib.SecurityTools;

import java.security.KeyStore;
import java.util.Collections;
import java.util.List;
import java.util.Locale;

/*
 * @test
 * @bug 6782021
 * @requires os.family == "windows"
 * @library /test/lib
 * @summary More keystore types
 */
public class AllTypes {
    public static void main(String[] args) throws Exception {
        var nm = test("windows-my");
        var nr = test("windows-root");
        var nmu = test("windows-my-currentuser");
        var nru = test("windows-root-currentuser");
        var nmm = test("windows-my-localmachine");
        var nrm = test("windows-root-localmachine");
        Asserts.assertEQ(nm, nmu);
        Asserts.assertEQ(nr, nru);
    }

    private static List<String> test(String type) throws Exception {
        var stdType = "Windows-" + type.substring(8).toUpperCase(Locale.ROOT);
        SecurityTools.keytool("-storetype " + type + " -list")
                .shouldHaveExitValue(0)
                .shouldContain("Keystore provider: SunMSCAPI")
                .shouldContain("Keystore type: " + stdType);
        KeyStore ks = KeyStore.getInstance(type);
        ks.load(null, null);
        var content = Collections.list(ks.aliases());
        Collections.sort(content);
        return content;
    }
}

[macarte]

@wangweij - regarding the two tests for localmachine, these will throw a KeyStore exception "Access denied" if the test is not run as admin, is there anyway in the test to make that a requirement? If so we could split into two tests, one in admin that does all and one in non-admin that does the currentuser tests

[wangweij]

Oops, I didn't realized that. Yes, you can divide it to 2 tests. The one needs admin privilege can be tagged @run main/manual Test. It probably won't get a lot of chance to run.

[macarte]

@wangweij - I added your test and updated to handle Access Denied errors due to admin rights missing, in this case we ignore the test

The CSR has been finalized and I feel we are ready to close out this PR

[wangweij]

Great. After the CSR is approved I will approve this PR as well. Then you will need to type the /integrate command as a comment here, and I will type /sponsor. Then the Skara bot will integrate the change and close the PR.

[wangweij]

@macarte Can you explain more on when an "access denied" error could happen? I create a normal user in my local AD and didn't see that. We might need to talk about this in the release note.

[christophbrejla]

Hi @christophbrejla, thanks for making a comment in an OpenJDK project!

All comments and discussions in the OpenJDK Community must be made available under the OpenJDK Terms of Use. If you already are an OpenJDK Author, Committer or Reviewer, please click here to open a new issue so that we can record that fact. Please Use "Add GitHub user christophbrejla for the summary.

If you are not an OpenJDK Author, Committer or Reviewer, simply check the box below to accept the OpenJDK Terms of Use for your comments.

• I agree to the OpenJDK Terms of Use for all comments I make in a project in the OpenJDK GitHub organization.

Your comment will be automatically restored once you have accepted the OpenJDK Terms of Use.

[macarte]

@christophbrejla - my goal is to backport to latest (18 or 19), 17 and 11

[wangweij]

@christophbrejla - my goal is to backport to latest (18 or 19), 17 and 11

Then please add the versions to the "Fix Version(s)" field of the CSR. There are also some questions waiting for you in the comment there.

[wangweij]

@macarte I think Sean's comment on your CSR about the scope is correct. The "algorithm" name should be at the JDK level so user knows what to write in their app. Once you think there's no more to update, you can finalize the CSR.

[macarte]

/integrate

[openjdk]

@macarte This pull request has not yet been marked as ready for integration.

[macarte]

Appologies i misread the process - waiting for @wangweij to approve

[openjdk]

@macarte This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

6782021: It is not possible to read local computer certificates with the SunMSCAPI provider

Reviewed-by: weijun

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 489 new commits pushed to the master branch:

• d65fba4: 8286452: The array length of testSmallConstArray should be small and const
• 125efe6: 8286744: failure_handler: dmesg command on macos fails to collect data due to permission issues
• 40f4dab: 8286756: Cleanup foreign API benchmarks
• af2918f: 8286787: Expand use of @inheritdoc in AudioInputStream
• 24cab0a: 8286740: JFR: Active Setting event emitted incorrectly
• a31130f: 7131823: bug in GIFImageReader
• 4bc7b7d: 8286760: Update citation of "Effective Java" second edition to third edition
• c044cb8: 8286399: Address possibly lossy conversions in JDK Build Tools
• b884db8: 8285844: TimeZone.getTimeZone(ZoneOffset) does not work for all ZoneOffsets and returns GMT unexpected
• dbd3737: 8286200: SequenceInputStream::read(b, off, 0) returns -1 at EOF
• ... and 479 more: https://git.openjdk.java.net/jdk/compare/4e165f66a954dd7fab4b6dab584c4da060f6a48e...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@wangweij) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[macarte]

/integrate

[wangweij]

/sponsor

[openjdk]

@macarte
Your change (at version 6c1f181) is now ready to be sponsored by a Committer.

[wangweij]

/sponsor

[openjdk]

Going to push as commit 5e5500c.
Since your change was applied there have been 489 commits pushed to the master branch:

• d65fba4: 8286452: The array length of testSmallConstArray should be small and const
• 125efe6: 8286744: failure_handler: dmesg command on macos fails to collect data due to permission issues
• 40f4dab: 8286756: Cleanup foreign API benchmarks
• af2918f: 8286787: Expand use of @inheritdoc in AudioInputStream
• 24cab0a: 8286740: JFR: Active Setting event emitted incorrectly
• a31130f: 7131823: bug in GIFImageReader
• 4bc7b7d: 8286760: Update citation of "Effective Java" second edition to third edition
• c044cb8: 8286399: Address possibly lossy conversions in JDK Build Tools
• b884db8: 8285844: TimeZone.getTimeZone(ZoneOffset) does not work for all ZoneOffsets and returns GMT unexpected
• dbd3737: 8286200: SequenceInputStream::read(b, off, 0) returns -1 at EOF
• ... and 479 more: https://git.openjdk.java.net/jdk/compare/4e165f66a954dd7fab4b6dab584c4da060f6a48e...master

Your commit was automatically rebased without conflicts.

[openjdk]

@wangweij @macarte Pushed as commit 5e5500c.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

[openjdk]

@wangweij The command sponsor can only be used in open pull requests.

[christophbrejla]

<!-- Start of TOU acceptance message header --> Hi @christophbrejla, thanks for making a comment in an OpenJDK project! All comments and discussions in the OpenJDK Community must be made available under the OpenJDK [Terms of Use](https://openjdk.java.net/legal/tou/). If you already are an OpenJDK [Author](https://openjdk.java.net/bylaws#author), [Committer](https://openjdk.java.net/bylaws#committer) or [Reviewer](https://openjdk.java.net/bylaws#reviewer), please click [here](https://bugs.openjdk.java.net/secure/CreateIssue.jspa?pid=11300&issuetype=1) to open a new issue so that we can record that fact. Please Use "Add GitHub user christophbrejla for the summary. If you are not an OpenJDK Author, Committer or Reviewer, simply check the box below to accept the OpenJDK Terms of Use for your comments. <!-- End of TOU acceptance message header --> - [ ] I agree to the [OpenJDK Terms of Use](https://openjdk.java.net/legal/tou/) for all comments I make in a project in the [OpenJDK GitHub organization](https://github.com/openjdk). <!-- Start of TOU acceptance message footer --> Your comment will be automatically restored once you have accepted the OpenJDK [Terms of Use](https://openjdk.java.net/legal/tou/). <!-- End of TOU acceptance message footer --> <!-- Original message to be restored: Hello+%40macarte+%3Chttps%3A%2F%2Fgithub.com%2Fmacarte%3E%0A%0Athanks+for+the+info.+I+dont+know+how+much+work+it+would+be%2C+but+if+it+is+not+too+much+of+a+hassle+i+would+much+appreciate+if+you+also+backport+to+version+8.+%0A%0Athank+you+very+much%0A%0A%3E+On+11+May+2022%2C+at+17%3A55%2C+Mat+Carter+***%40***.***%3E+wrote%3A%0A%3E+%0A%3E+%0A%3E+%40christophbrejla+%3Chttps%3A%2F%2Fgithub.com%2Fchristophbrejla%3E+-+my+goal+is+to+backport+to+latest+%2818+or+19%29%2C+17+and+11%0A%3E+%0A%3E+%E2%80%94%0A%3E+Reply+to+this+email+directly%2C+view+it+on+GitHub+%3Chttps%3A%2F%2Fgithub.com%2Fopenjdk%2Fjdk%2Fpull%2F8211%23issuecomment-1123959699%3E%2C+or+unsubscribe+%3Chttps%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAPWW5GYTCXXEXUI2UGWJGBTVJPKAPANCNFSM5TIH5GZQ%3E.%0A%3E+You+are+receiving+this+because+you+were+mentioned.%0A%3E+%0A%0A -->