1

Is there a way to access the windows local machine personal key storage with Java using SunMSCAPI?

Usually, you can use either WINDOWS-ROOT (which is roughly the equivalent to the trusted storage in Java) or WINDOWS-MY (which contains the personal certificates which is roughly equivalent to the key storage in Java) to retrieve certificates from the windows certificate storage.

This works fine for users, but even when impersonating the SYSTEM user, I was not able to retrieve the local machine's personal certificates.

There exist some questions regarding this that use JNA (which I would like to avoid, especially since it seems to be complicated to retrieve the private key from there).
Also, someone used psexec to impersonate the SYSTEM user (using psexec -s). I also tried this, but have not been successful.
In the end, there is also an open bug in the Java Bug System.

If anyone has an idea on how to retrieve certificates from the local machine personal storage in windows using Java, I would be grateful.

P. Ekin
  • 15
  • 7
  • 1
    See my answer here: https://stackoverflow.com/questions/3612962/access-local-machine-certificate-store-in-java/51708360#51708360 – oddbjorn Aug 06 '18 at 13:08

1 Answers1

1

Update

After fourteen years in the bug tracker, JDK-6782021 was finally fixed in Java 19 (Spring 2022). This means this is no longer an issue.

Original answer

Yes and no. You can use the wcsa utility, which will intercept JVM calls to the Windows Crypto API and let you access the local machine credentials. This is of course a hack around the real problem, JDK-6782021, which was reported ten years ago. But it does let you access the local machine certificates in a pretty painless way!

So yes, it is possible to access them, but no, it's not possible to access them using the plain Java API. You can access them using normal Java using the commercial product JCAPI, though, but for most uses the wcsa util is fine.

The Open JDK maintainers are willing to take a patch, though, so maybe you can have a stab at fixing it using the code provided in the wcsa repo :)

oligofren
  • 20,744
  • 16
  • 93
  • 180
  • Thanks for your answer, I ended up using C# for this task, because in my case, intercepting JVM calls is just too hacky in production... – P. Ekin Nov 09 '18 at 08:02
  • 1
    Seems like [JDK-6782021 It is not possible to read local computer certificates with the SunMSCAPI provider](https://bugs.openjdk.org/browse/JDK-6782021) has been resolved and will be available in Java 19. `Windows-MY-LOCALMACHINE` & `Windows-ROOT-LOCALMACHINE` – Lars Jun 10 '22 at 10:41
  • Thanks for the links ;-) Saved me a lot of time. Bug in jdk is fixed with 11.0.18 (20 for oracle) and 17.0.5 (7 for oracle) – Jens Popp Jun 19 '23 at 10:18