Reputation: 335
How to load Next Generation certificates from the Microsoft keystore using Java 8?
I'm trying to load certificates directly from the Microsoft store in order to avoid having to export certs from the MS store and then import them into a JKS store.
I managed to get certs created from a typical AD CS web server template using legacy crypto directly from the MS stores using SunMSCAPI.
However, SunMSCAPI does not support the modern CNG ciphers I'm using, specifically RSA-2048 asymmetric encryption, SHA-384 hashing and ECDSA-384 digital signature.
Is it possible to load Next Generation certificates from MS stores using Java? I'm on jdk1.8.0_45. Is there an off-the-shelf JCE provider alternative to SunMSCAPI that can handle CNG? I suspect it would have to use JNI or JNA to access the native Windows CNG API.
I've tried Pheox JCAPI without success. It supports RSA and DSA, but not ECDSA. I have not tried Bouncy Castle, but my understanding is that it does not offer such a capability.
Are there other off-the-shelf JCE provider alternatives to SunMSCAPI that can handle CNG I could try?
Update: JCAPI v2 supports only RSA, ECDH support planned for v3 next year.
Update: Some have suggested that installing the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for Java 8 could perhaps resolve this, but no, that does not help, since the problem is that SunMSCAPI supports only RSA ciphers, as can be seen looking at the source code.
Upvotes: 17
Views: 1791
Answers (3)
Reputation: 190
Next generation api is not implemented in sunmscapi c++ code - file security.cpp -, that interacts with windows crypto api. EC is not implemented in java code of sunmscapi also.
You can view the source from openJDK here: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/556b17038b5c/src/windows/native/sun/security/mscapi/security.cpp
When you call keystore.load(null, null) from your java code, it ends up in c++ code function Java_sun_security_mscapi_KeyStore_loadKeysOrCertificateChains eventually. line 383 CryptAcquireCertificatePrivateKey returns false, since it's not using CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG flag. Even when you fix that line, it eventually breaks down. Since it uses old crypto api functions.
Getting it to work means rewriting all sunmscapi yourself, using new next generation crypto api.
Upvotes: 0
Reputation: 2022
As already mentioned, this is not (yet) possible with SunMSCAPI. Actually there is an enhancement request open, where one may vote for the issue to be fixed.
Issue here: https://bugs.openjdk.java.net/browse/JDK-8026953
Upvotes: 2
Reputation: 2073
The specification states
Due to import regulations in some countries, the Oracle implementation provides a default cryptographic jurisdiction policy file that limits the strength of cryptographic algorithms.
If stronger algorithms are needed (for example, AES with 256-bit keys), the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE.
It is the user's responsibility to verify that this action is permissible under local regulations.
Download the JCE Unlimited Strength Jurisdiction Policy Files and place it in your jre security folder.
Upvotes: 0
Related Questions
- Accessing Windows Certificate Store certs via Java?
- How to import a .cer certificate into a java keystore?
- Import elliptic curve Certificate and Private Key into Java Keystore using java.security.KeyStore
- Import Windows certificates to Java
- How to import a .p12 or pem certificate into a java keystore?
- Windows keystores and certificates
- Loading a Certificate from a Keystore
- Import key and SSL Certificate into java keystore
- loading a certificate from keystore
- Java: Read certificates from windows store