Adding Keys to MS Store as "Non Exportable"

I'm trying to import a private key and associated certificate chain into a "MY" keystore (the CERT_SYSTEM_LOCAL_MACHINE one, specifically).

While I'm able to successfully import the key/certificate using SetKeyEntry("alias", aPrivateKey, null, myCertChain), there doesn't seem to be a way to import it with the "non exportable" flag.

If I include a password (or empty char[]) rather than null, it will be marked as non-exportable, but also has the user_protection flag, so requires GUI interaction to set the security level. Unfortunately, for my use case I need to do the import without that sort of prompt.

Is there some way to accomplish this that I'm missing, or does JCAPI not currently support importing a key to the Microsoft store marked as non-exportable without 'user protection' being flagged as well?

I've got C++ console apps that can do this from a pfx store (since PFXImportCertStore has the nice and friendly CRYPT_EXPORTABLE flag), but I'd like to use JCAPI to directly import to the MS store, if possible.

Thanks!

Hi Chris,

Unfortunately JCAPI will tell MS CAPI to display a dialog for the user to decide the level of protection whenever the password parameter is not null. It's a binary behavior for this method, so in other words, your requirement is not supported here.
However, I do see a point here with your request. Give me a couple of days to think this through. I'll see if I can find a nice "fits all" solution without violating the JCE interface. Of course, if you have any good suggestions yourself, then just let me know and we'll have a creative discussion about it.

Regards,
Tommy

Hi Chris,

I've found a nice solution to your problem.
A private key can have two different properties when imported into MS CAPI:
1. Enable strong private key protection. You will be prompted every time the private key is used by an application.
2. Mark the key as exportable. This will allow you to back up or transaport your keys at a later time.

I've added these two properties as methods into the existing class JCAPIKeyStoreProperties to be used when you want to override the default behavior of the SetKeyEntry method in JCAPI KeyStore. The methods are:


public boolean isCreateExportablePrivateKeysInMsCapi()

public void setCreateExportablePrivateKeysInMsCapi(boolean flag)

public boolean isCreateProtectedPrivateKeysInMsCapi()

public void setCreateProtectedPrivateKeysInMsCapi(boolean flag)

Here is an example of how to reconfigure the key store to import all private keys as non-exportable and no extra protection (no dialog).


KeyStore ks = KeyStore.getInstance("msks", "JCAPI");

ks.load(null, null);



JCAPIKeyStoreProperties ksprop = new JCAPIKeyStoreProperties(ks);

ksprop.setCreateExportablePrivateKeysInMsCapi(false);

ksprop.setCreateProtectedPrivateKeysInMsCapi(false);

The patched JCAPI jar file has been attached to this post.

Let me know what you think about it.

Regards,
Tommy

Filename JCAPI.jar

Description Patched JCAPI jar file.

Filesize 349 Kbytes

Downloaded 317 time(s)

[Disk] Download

Tommy,

Sorry I didn't see your first post until today, so didn't get a chance to reply to it (I didn't really have any useful thoughts anyways though - using JCAPIKeystoreProperties definitely seems the most elegant solution, given the limitations of the JCE interface)

Your solution is perfect (and your response time was fantastic, I really appreciate it) - I didn't test all the permutations of exportable/protected, but the use case that we really needed (exportable but not protected) is working great!

Thanks a bunch!
-Chris

Hi Chris,

Thank you. You're most welcome.
Glad to here you like it, and that it solves your problem.
I've already tested the remaining permutations, so they should work fine too

Just let us know if you find other problems or limitations.

Regards,
Tommy

Filename	JCAPI.jar
Description	Patched JCAPI jar file.
Filesize	349 Kbytes
Downloaded	317 time(s)
Download