简体   繁体   中英

How to load Next Generation certificates from the Microsoft keystore using Java 8?

I'm trying to load certificates directly from the Microsoft store in order to avoid having to export certs from the MS store and then import them into a JKS store.

I managed to get certs created from a typical AD CS web server template using legacy crypto directly from the MS stores using SunMSCAPI.

However, SunMSCAPI does not support the modern CNG ciphers I'm using, specifically RSA-2048 asymmetric encryption, SHA-384 hashing and ECDSA-384 digital signature.

Is it possible to load Next Generation certificates from MS stores using Java? I'm on jdk1.8.0_45. Is there an off-the-shelf JCE provider alternative to SunMSCAPI that can handle CNG? I suspect it would have to use JNI or JNA to access the native Windows CNG API.

I've tried Pheox JCAPI without success. It supports RSA and DSA, but not ECDSA. I have not tried Bouncy Castle, but my understanding is that it does not offer such a capability.

Are there other off-the-shelf JCE provider alternatives to SunMSCAPI that can handle CNG I could try?

Update: JCAPI v2 supports only RSA, ECDH support planned for v3 next year.

Update: Some have suggested that installing the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for Java 8 could perhaps resolve this, but no, that does not help, since the problem is that SunMSCAPI supports only RSA ciphers, as can be seen looking at the source code .

As already mentioned, this is not (yet) possible with SunMSCAPI. Actually there is an enhancement request open, where one may vote for the issue to be fixed.

Issue here: https://bugs.openjdk.java.net/browse/JDK-8026953

The specification states

Due to import regulations in some countries, the Oracle implementation provides a default cryptographic jurisdiction policy file that limits the strength of cryptographic algorithms.

If stronger algorithms are needed (for example, AES with 256-bit keys), the JCE Unlimited Strength Jurisdiction Policy Files must be obtained and installed in the JDK/JRE.

It is the user's responsibility to verify that this action is permissible under local regulations.

Download the JCE Unlimited Strength Jurisdiction Policy Files and place it in your jre security folder.

Next generation api is not implemented in sunmscapi c++ code - file security.cpp -, that interacts with windows crypto api. EC is not implemented in java code of sunmscapi also.

You can view the source from openJDK here: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/556b17038b5c/src/windows/native/sun/security/mscapi/security.cpp

When you call keystore.load(null, null) from your java code, it ends up in c++ code function Java_sun_security_mscapi_KeyStore_loadKeysOrCertificateChains eventually. line 383 CryptAcquireCertificatePrivateKey returns false, since it's not using CRYPT_ACQUIRE_ALLOW_NCRYPT_KEY_FLAG flag. Even when you fix that line, it eventually breaks down. Since it uses old crypto api functions.

Getting it to work means rewriting all sunmscapi yourself, using new next generation crypto api.

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM