On Thu, 16 Nov 2023 12:06:26 GMT, rebarbora-mckvak <d...@openjdk.org> wrote:
> This fixes the defect described at https://bugs.openjdk.org/browse/JDK-8313367 > > If the process does not have write permissions, the store is opened as > read-only (instead of failing). > > Please note that permissions to use a certificate in a local machine store > must be granted - in a management console, select a certificate, right-click > -> All tasks... -> Manage Private Keys... -> add Full control to user. Apologies I wasn't aware of the JBS issue until I saw this github notification. At a glance the fix seems trivial, but I'll need to test it. We were planning on looking at supporting the ability to open a keystore with READONLY access and I emailed security-dev to this effect in May Considering this change, I'd suggest that when the store is opened with read-only permissions that some warning is output (if this can't be detected then we may have to attempt to open with write-priviledges and the fall back to read-only (CERT_STORE_READONLY_FLAG). @rebarbora-mckvak - what testing was done with an elevated user opening a keystore with (CERT_STORE_MAXIMUM_ALLOWED_FLAG) and then attempting write-operations on the keystore? ------------- PR Comment: https://git.openjdk.org/jdk/pull/16687#issuecomment-1863211291
