Home/ Questions/Q 8768677
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T17:07:44+00:00

I would like to load a MSCAPI keystore within Java and examine available certificates

  • 0

I would like to load a MSCAPI keystore within Java and examine available certificates in the MY store. However some keys for those certificates reside on hardware tokens and a popup asks for the token during load.

Is there a way to defer loading the private keys when loading the Windows keystore?

keyStore = KeyStore.getInstance("Windows-MY", "SunMSCAPI");
keystore.load(null,null);
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The popup is being activated from the MS-CAPI Cryptographic Service Provider (CSP) – the DLL supplied by the USB token manufacturer – which finally communicates to the token through a driver (also supplied by the token-manufacturer). KeyStore merely makes a call and the layers in between just pass it through; the firmware on the token is the one that throws up the authentication pop-up and maintains session-state, etc.

    The key Java dll is sunmscapi.dll which has the implementation:

    // Use CertEnumCertificatesInStore to get the certificates
// from the open store. pCertContext must be reset to
// NULL to retrieve the first certificate in the store.
while (pCertContext = ::CertEnumCertificatesInStore(hCertStore, pCertContext))
{
    // Check if private key available - client authentication certificate
    // must have private key available.
    HCRYPTPROV hCryptProv = NULL;
    DWORD dwKeySpec = 0;
    HCRYPTKEY hUserKey = NULL;
    BOOL bCallerFreeProv = FALSE;
    BOOL bHasNoPrivateKey = FALSE;
    DWORD dwPublicKeyLength = 0;

    if (::CryptAcquireCertificatePrivateKey(pCertContext, NULL, NULL,
                                            &hCryptProv, &dwKeySpec, &bCallerFreeProv) == FALSE)
    {
        bHasNoPrivateKey = TRUE;

    } else {
        // Private key is available

    BOOL bGetUserKey = ::CryptGetUserKey(hCryptProv, dwKeySpec, &hUserKey);

    // Skip certificate if cannot find private key
    if (bGetUserKey == FALSE)
    {
        if (bCallerFreeProv)
            ::CryptReleaseContext(hCryptProv, NULL);

        continue;
    }
    ....

    As you can see it always checks for a private key. You would have to modify this code and create a custom version of sunmscapi.dll to avoid this or otherwise defeat this check.

    • 0