GithubHelp home page GithubHelp logo

wcsa's Introduction

Windows Certificate Store Aggregator

Tooling to read certificate stores in Windows for Java versions < 19 (2022)

The JDK-6782021 issue that was reported in 2008 was finally fixed with Java 19, so this is no longer an issue for modern Java versions 🥳

Problem

The SunMSCAPI JCA provider¹ used by both Oracle JDK/JRE and OpenJDK only provides access to certificates and private keys stored in the Current User certificate store. The reason for this is that it uses the CertOpenSystemStore WinCrypt API call that explicitly states²:

Only current user certificates are accessible using this method, not the local machine store.

So if you need access to certificates and/or private keys stored in the Windows Local Computer certificate store from a Java program, you are out of luck.

Solution

This software uses the Microsoft Detours³ library to intercept CertOpenSystemStore function calls and instead returns a handle to a collection type certificate store that aggregates both the Current User and Local Computer certificate stores. In addition, it intercepts calls to CryptAcquireContext and adds CRYPT_MACHINE_KEYSET to dwFlags if the original call fails with an NTE_BAD_KEYSET ("Keyset does not exist") error. This is required to use keys that are stored in the Local Computer certificate store.

Get

Download prebuild binaries in the release section of this repo or clone this repo and build with nmake (requires a working Win32 build environment).

Usage

Instead of starting your application with java -jar myapp.jar, you bootstrap it with the Windows Detours³ withdll utility: withdll.exe /d:wcsa.dll java -jar myapp.jar

Note that you might need to explicitly grant certificate key read permissions to the Windows user that runs the process.

Limitations

  • The returned collection certificate store is read-only, so adding, updating or removing certificates/private keys will fail.
  • This software intercepts all calls to CertOpenSystemStore, so make sure this is what you really want before proceeding to use this in production.

Licence

MIT Open Source Licence.

References

  1. SunMSCAPI
  2. WinCrypt remarks
  3. Microsoft Detours
  4. JDK-6782021

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.