views:

184

answers:

2

Is it possible to access certificates stored in the Local Machine store (rather than Current User) from a Java Servlet? I've tried using the MSCAPI provider opening the "Windows-MY" and "Windows-ROOT" stores, but neither contain certificates from the Local Machine store.

A: 

The certificates you are looking for are in the java keystore file or are passed into tomcat when starting the server

http://tomcat.apache.org/tomcat-4.0-doc/ssl-howto.html

if you are trying to load them in your application, then look here for to make HTTPS requests, then the HTTPClient documentation will get you started

http://www.jdocs.com/httpclient/3.0.1/api-index.html?m=class&p=org.apache.commons.httpclient.contrib.ssl&c=AuthSSLProtocolSocketFactory&render=classic

not sure if this helps you out, but if you can provide more details, then you might be able to get a more specific answer

public class KeyStoreLookup {
    public static void main(String args[]) {
        try {
            KeyStore ks = 
                      KeyStore.getInstance(KeyStore.getDefaultType());
            String fname = System.getProperty("user.home") +
                                File.separator + ".keystore";
            FileInputStream fis = new FileInputStream(fname);
            ks.load(fis, null);
            if (ks.isKeyEntry(args[0])) {
                System.out.println(args[0] +
                                " is a key entry in the keystore");
                char c[] = new char[args[1].length()];
                args[1].getChars(0, c.length, c, 0);
                System.out.println("The private key for" + args[0] + 
                            " is " + ks.getKey(args[0], c));
                Certificate certs[] = ks.getCertificateChain(args[0]);
                if (certs[0] instanceof X509Certificate) {
                    X509Certificate x509 = (X509Certificate) certs[0];
                    System.out.println(args[0] + " is really " +
                        x509.getSubjectDN());
                }
                if (certs[certs.length - 1] instanceof
                                     X509Certificate) {
                    X509Certificate x509 = (X509Certificate) 
                                        certs[certs.length - 1];
                    System.out.println(args[0] + " was verified by " +
                        x509.getIssuerDN());
                }
            }
            else if (ks.isCertificateEntry(args[0])) {
                System.out.println(args[0] +
                            " is a certificate entry in the keystore");
                Certificate c = ks.getCertificate(args[0]);
                if (c instanceof X509Certificate) {
                    X509Certificate x509 = (X509Certificate) c;
                    System.out.println(args[0] + " is really " +
                        x509.getSubjectDN());
                    System.out.println(args[0] + " was verified by " +
                        x509.getIssuerDN());
                }
            }
            else {
                System.out.println(args[0] +
                        " is unknown to this keystore");
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
Aaron Saunders
I'm not looking to do SSL. I would like to access machine certificates and pull out their key pair to encrypt/decrypt certain settings in configuration files. I have done this with certificates in the Current User's Personal Certificate store, but I would like to pull (SSL) certificates out of the Local Machine store for the crypto instead.
Petey B
This code is not at all what the OP is asking for.
Justin
+1  A: 

The default JDK implementation is fairly limited. AFAIK it will only bring back RSA keys and certificates. It is not a general purpose adapter to MSCAPI. I have been able to get some certs back using the mechanism you describe.

Justin
All I want is the RSA key pair. You are right I can get the key pair from the Current User's Personal (Windows-MY) store, but instead I would like to get them from the Local Machine's Personal certificate store. I havn't found a way to specify which certificate store (Current User/Local Machine) to read from. It seems to only want to read from Current User.
Petey B
I see what you want to do, but: Why should it let you read from the stores of other users? Does the local machine have key pairs in its store? -- if so your java process would need the permission to act as part of the OS.
Justin
Yes the local machine has a key pair in its store; any idea how i could give my java process permission to act as part of the OS?
Petey B
This is one of the difficult things about java, since java.exe is the binary you have to give it the permission (not the class file) if I remember correctly your process must actively claim the permission through native code. I should also mention that I am guessing about the OS permission you will need. Can you first put a trusted cert (not a key pair) into the Windows-ROOT and retrieve it?
Justin
Yes I can retreive certificates from the Local Machine Windows-ROOT store fine, the Local Machine Windows-MY store however appears empty to Java.
Petey B