Max, would it make sense to specify ` -csp "Microsoft Software Key Storage Provider"` to make sure it stores the key in a CNG KSP? (I am not sure what the default provider is). Also maybe make the key non-exportable to make sure key-handles are actually used for the operations?
Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: security-dev <security-dev-boun...@openjdk.java.net> im Auftrag von Weijun Wang <weijun.w...@oracle.com> Gesendet: Mittwoch, Mai 1, 2019 7:21 PM An: security-dev@openjdk.java.net Betreff: Re: RFR 8223063: Support CNG RSA keys It looks the Mach5 machines are Windows Server 2012 but mine is 2019. I removed the "-f" option and everything looks fine now. --Max > On May 1, 2019, at 7:18 AM, Weijun Wang <weijun.w...@oracle.com> wrote: > > Please take a look at > > https://cr.openjdk.java.net/~weijun/8223063/webrev.00/ > > Unfortunately, although the new test I added succeeds on my own machine, the > "certutil -importPFX" command inside always fail on Mach5 with > > Command line: [certutil -f -v -p changeit -user -importpfx MY ks NoRoot] > A -- A-7626e24d-46df-4ba0-8880-9866bb1-01966 > A -- A-7626e24d-46df-4ba0-8880-9866bb178ab6 > CertUtil: -importPFX command FAILED: 0x80090029 (-2146893783 > NTE_NOT_SUPPORTED) > CertUtil: The requested operation is not supported. > > Maybe there is a permission issue. > > I'll study it for more, but If anyone of you can fix it I'll be very happy. > > Thanks, > Max >
