Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to load Next Generation certificates from the Microsoft keystore using Java 8?

I'm trying to load certificates directly from the Microsoft store in order to avoid having to export certs from the MS store and then import them into a JKS store.

I managed to get certs created from a typical AD CS web server template using legacy crypto directly from the MS stores using SunMSCAPI.

However, SunMSCAPI does not support the modern CNG ciphers I'm using, specifically RSA-2048 asymmetric encryption, SHA-384 hashing and ECDSA-384 digital signature.

Is it possible to load Next Generation certificates from MS stores using Java? I'm on jdk1.8.0_45. Is there an off-the-shelf JCE provider alternative to SunMSCAPI that can handle CNG? I suspect it would have to use JNI or JNA to access the native Windows CNG API.

I've tried Pheox JCAPI without success. It supports RSA and DSA, but not ECDSA. I have not tried Bouncy Castle, but my understanding is that it does not offer such a capability.

Are there other off-the-shelf JCE provider alternatives to SunMSCAPI that can handle CNG I could try?

Update: JCAPI v2 supports only RSA, ECDH support planned for v3 next year.

Update: Some have suggested that installing the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for Java 8 could perhaps resolve this, but no, that does not help, since the problem is that SunMSCAPI supports only RSA ciphers, as can be seen looking at the source code.

like image 639
fstarnaud Avatar asked Aug 27 '15 02:08

fstarnaud


1 Answers

As already mentioned, this is not (yet) possible with SunMSCAPI. Actually there is an enhancement request open, where one may vote for the issue to be fixed.

Issue here: https://bugs.openjdk.java.net/browse/JDK-8026953

like image 60
beat Avatar answered Oct 06 '22 00:10

beat