search

kaikramer / keystore-explorer

KeyStore Explorer is a free GUI replacement for the Java command-line utilities keytool and jarsigner.
https://keystore-explorer.org/
GNU General Public License v3.0
1.7k stars 275 forks source link

Configurable special Windows stores by name, alowing using them as default or CA store. #354

Closed joseidc closed 10 months ago

joseidc commented 2 years ago

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like A clear and concise description of what you want to happen.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context Add any other context or screenshots about the feature request here.

kaikramer commented 2 years ago

Hmm, I think I know what you mean...

joseidc commented 2 years ago

I have been working recently with the Windows API (from C#) to store certs and crls on different "named" stores to keep separated functional PKIs. In this case an ICAO eMRTD PKI and a citizien certificates PKI. Maybe this is not a common use but Windows has more default stores in addition to the already supported (root) CAs and (personal) My, and it may be usefull to explore or admin them.

I understand this can be a JRE limitation. I dont use the java language for a long time, and I dont know if the JRE relies on the Windows CryptoApi or if it accesses the certificates throw the registry. But, It should be possible to create, maintain and delete keys, certs and crl stores under the Windows user security and making the interoperability easier.

On the other hand, once you can access different CA and end entity stores, It could make sense to be able to configure them as the default ones.

I Hope I explained myself a little better.

El vie, 11 feb 2022 0:10, Kai Kramer @.***> escribió:

Hmm, I think I know what you mean...

— Reply to this email directly, view it on GitHub https://github.com/kaikramer/keystore-explorer/issues/354#issuecomment-1035626066, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXWRDKOLT223E2XSUS7ZE5TU2RAUVANCNFSM5OBNB6PA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you authored the thread.Message ID: @.***>

kaikramer commented 2 years ago

Yeah, I know, I wasn't joking when I wrote my first comment. And I really would like to offer more in that area. Unfortunately I am restricted to what the Java runtime has to offer... I did some research and there hasn't changed much since I have added the MSCAPI provider to KSE in 2016. Even Java 17 only supports ROOT and MY: https://docs.oracle.com/en/java/javase/17/security/oracle-providers.html#GUID-4F1737D6-1569-4340-B140-678C70E63CD5

jpstotz commented 2 years ago

Looking at the source code of OpenJDK it may not require much changes to allow access to other certificate stores than MY and ROOT (assuming that custom "named" stores can simply be accessed by their name) :

https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/KeyStore.java#L52-L65 https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/SunMSCAPI.java#L88-L92

So implementing the keystore type Windows-([A-Za-z0-9]), extract the store name and use it should be possible. The only problem could be getting the OpenJDK maintainers to accept such a change. My last attempts to get code changes into OpenJDK ended up in endless discussions without any outcome.

joseidc commented 2 years ago

So they are using Microsoft Crypto API, and they are calling this function:

https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certopenstore

The same way they use "MY" or "ROOT", they should be able to open other named stores, and depending on the flags, these stores can be created if not existing or even deleted. In my app, delete dont really deletes the store but clears all the contents.

El sáb, 12 feb 2022 14:19, Jan S. @.***> escribió:

Looking at the source code of OpenJDK it may not require much changes to allow access to other certificate stores than MY and ROOT (assuming that custom "named" stores can simply be accessed by their name) :

https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/KeyStore.java#L52-L65

https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/SunMSCAPI.java#L88-L92

So implementing the keystore type Windows-([A-Za-z0-9]), extract the store name and use it should be possible. The only problem could be getting the OpenJDK maintainers to accept such a change. My last attempts to get code changes into OpenJDK ended up in endless discussions without any outcome.

— Reply to this email directly, view it on GitHub https://github.com/kaikramer/keystore-explorer/issues/354#issuecomment-1037223871, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXWRDKK2574FPYYORD6ALSLU2ZM47ANCNFSM5OBNB6PA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you authored the thread.Message ID: @.***>

kaikramer commented 10 months ago

As this feature requires JDK changes it is currently not possible to add it in KSE.