8143913: MSCAPI keystore should accept Certificate[] in setEntry()

6483657: MSCAPI provider does not create unique alias names
Reviewed-by: vinnie

src/windows/classes/sun/security/mscapi/KeyStore.java

 /*
- * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -189,8 +189,10 @@ abstract class KeyStore extends KeyStoreSpi {
 
     /*
      * The keystore entries.
+     * Keys in the map are unique aliases (thus can differ from
+     * KeyEntry.getAlias())
      */
-    private Collection<KeyEntry> entries = new ArrayList<KeyEntry>();
+    private Map<String,KeyEntry> entries = new HashMap<>();
 
     /*
      * The keystore name.
@@ -250,13 +252,10 @@ abstract class KeyStore extends KeyStoreSpi {
         if (engineIsKeyEntry(alias) == false)
             return null;
 
-        for (KeyEntry entry : entries) {
-            if (alias.equals(entry.getAlias())) {
-                return entry.getPrivateKey();
-            }
-        }
-
-        return null;
+        KeyEntry entry = entries.get(alias);
+        return (entry == null)
+                ? null
+                : entry.getPrivateKey();
     }
 
     /**
@@ -276,15 +275,13 @@ abstract class KeyStore extends KeyStoreSpi {
             return null;
         }
 
-        for (KeyEntry entry : entries) {
-            if (alias.equals(entry.getAlias())) {
-                X509Certificate[] certChain = entry.getCertificateChain();
-
-                return certChain.clone();
-            }
-        }
-
-        return null;
+        KeyEntry entry = entries.get(alias);
+        X509Certificate[] certChain = (entry == null)
+                ? null
+                : entry.getCertificateChain();
+        return (certChain == null)
+                ? null
+                : certChain.clone();
     }
 
     /**
@@ -308,15 +305,13 @@ abstract class KeyStore extends KeyStoreSpi {
             return null;
         }
 
-        for (KeyEntry entry : entries) {
-            if (alias.equals(entry.getAlias()))
-            {
-                X509Certificate[] certChain = entry.getCertificateChain();
-                return certChain.length == 0 ? null : certChain[0];
-            }
-        }
-
-        return null;
+        KeyEntry entry = entries.get(alias);
+        X509Certificate[] certChain = (entry == null)
+                ? null
+                : entry.getCertificateChain();
+        return (certChain == null || certChain.length == 0)
+                ? null
+                : certChain[0];
     }
 
     /**
@@ -380,29 +375,32 @@ abstract class KeyStore extends KeyStoreSpi {
 
         if (key instanceof RSAPrivateCrtKey) {
 
-            KeyEntry entry = null;
-            boolean found = false;
+            KeyEntry entry = entries.get(alias);
 
-            for (KeyEntry e : entries) {
-                if (alias.equals(e.getAlias())) {
-                    found = true;
-                    entry = e;
-                    break;
+            X509Certificate[] xchain;
+            if (chain != null) {
+                if (chain instanceof X509Certificate[]) {
+                    xchain = (X509Certificate[]) chain;
+                } else {
+                    xchain = new X509Certificate[chain.length];
+                    System.arraycopy(chain, 0, xchain, 0, chain.length);
                 }
+            } else {
+                xchain = null;
             }
 
-            if (! found) {
+            if (entry == null) {
                 entry =
                     //TODO new KeyEntry(alias, key, (X509Certificate[]) chain);
-                    new KeyEntry(alias, null, (X509Certificate[]) chain);
-                entries.add(entry);
+                    new KeyEntry(alias, null, xchain);
+                storeWithUniqueAlias(alias, entry);
             }
 
             entry.setAlias(alias);
 
             try {
                 entry.setPrivateKey((RSAPrivateCrtKey) key);
-                entry.setCertificateChain((X509Certificate[]) chain);
+                entry.setCertificateChain(xchain);
 
             } catch (CertificateException ce) {
                 throw new KeyStoreException(ce);
@@ -474,23 +472,14 @@ abstract class KeyStore extends KeyStoreSpi {
             // TODO - build CryptoAPI chain?
             X509Certificate[] chain =
                 new X509Certificate[]{ (X509Certificate) cert };
-            KeyEntry entry = null;
-            boolean found = false;
-
-            for (KeyEntry e : entries) {
-                if (alias.equals(e.getAlias())) {
-                    found = true;
-                    entry = e;
-                    break;
-                }
-            }
+            KeyEntry entry = entries.get(alias);
 
-            if (! found) {
+            if (entry == null) {
                 entry =
                     new KeyEntry(alias, null, chain);
-                entries.add(entry);
-
+                storeWithUniqueAlias(alias, entry);
             }
+
             if (entry.getPrivateKey() == null) { // trusted-cert entry
                 entry.setAlias(alias);
 
@@ -522,32 +511,26 @@ abstract class KeyStore extends KeyStoreSpi {
             throw new KeyStoreException("alias must not be null");
         }
 
-        for (KeyEntry entry : entries) {
-            if (alias.equals(entry.getAlias())) {
-
-                // Get end-entity certificate and remove from system cert store
-                X509Certificate[] certChain = entry.getCertificateChain();
-                if (certChain != null) {
+        KeyEntry entry = entries.remove(alias);
+        if (entry != null) {
+            // Get end-entity certificate and remove from system cert store
+            X509Certificate[] certChain = entry.getCertificateChain();
+            if (certChain != null) {
 
-                    try {
+                try {
 
-                        byte[] encoding = certChain[0].getEncoded();
-                        removeCertificate(getName(), alias, encoding,
+                    byte[] encoding = certChain[0].getEncoded();
+                    removeCertificate(getName(), entry.getAlias(), encoding,
                             encoding.length);
 
-                    } catch (CertificateException e) {
-                        throw new KeyStoreException("Cannot remove entry: " +
-                            e);
-                    }
-                }
-                Key privateKey = entry.getPrivateKey();
-                if (privateKey != null) {
-                    destroyKeyContainer(
-                        Key.getContainerName(privateKey.getHCryptProvider()));
+                } catch (CertificateException e) {
+                    throw new KeyStoreException("Cannot remove entry: ", e);
                 }
-
-                entries.remove(entry);
-                break;
+            }
+            Key privateKey = entry.getPrivateKey();
+            if (privateKey != null) {
+                destroyKeyContainer(
+                    Key.getContainerName(privateKey.getHCryptProvider()));
             }
         }
     }
@@ -558,8 +541,7 @@ abstract class KeyStore extends KeyStoreSpi {
      * @return enumeration of the alias names
      */
     public Enumeration<String> engineAliases() {
-
-        final Iterator<KeyEntry> iter = entries.iterator();
+        final Iterator<String> iter = entries.keySet().iterator();
 
         return new Enumeration<String>()
         {
@@ -570,8 +552,7 @@ abstract class KeyStore extends KeyStoreSpi {
 
             public String nextElement()
             {
-                KeyEntry entry = iter.next();
-                return entry.getAlias();
+                return iter.next();
             }
         };
     }
@@ -584,15 +565,7 @@ abstract class KeyStore extends KeyStoreSpi {
      * @return true if the alias exists, false otherwise
      */
     public boolean engineContainsAlias(String alias) {
-        for (Enumeration<String> enumerator = engineAliases();
-            enumerator.hasMoreElements();)
-        {
-            String a = enumerator.nextElement();
-
-            if (a.equals(alias))
-                return true;
-        }
-        return false;
+        return entries.containsKey(alias);
     }
 
     /**
@@ -617,13 +590,8 @@ abstract class KeyStore extends KeyStoreSpi {
             return false;
         }
 
-        for (KeyEntry entry : entries) {
-            if (alias.equals(entry.getAlias())) {
-                return entry.getPrivateKey() != null;
-            }
-        }
-
-        return false;
+        KeyEntry entry = entries.get(alias);
+        return entry != null && entry.getPrivateKey() != null;
     }
 
     /**
@@ -633,15 +601,14 @@ abstract class KeyStore extends KeyStoreSpi {
      * @return true if the entry identified by the given alias is a
      * <i>trusted certificate entry</i>, false otherwise.
      */
-    public boolean engineIsCertificateEntry(String alias)
-    {
-        for (KeyEntry entry : entries) {
-            if (alias.equals(entry.getAlias())) {
-                return entry.getPrivateKey() == null;
-            }
+    public boolean engineIsCertificateEntry(String alias) {
+
+        if (alias == null) {
+            return false;
         }
 
-        return false;
+        KeyEntry entry = entries.get(alias);
+        return entry != null && entry.getPrivateKey() == null;
     }
 
     /**
@@ -660,9 +627,10 @@ abstract class KeyStore extends KeyStoreSpi {
      * @return the (alias) name of the first entry with matching certificate,
      * or null if no such entry exists in this keystore.
      */
-    public String engineGetCertificateAlias(Certificate cert)
-    {
-        for (KeyEntry entry : entries) {
+    public String engineGetCertificateAlias(Certificate cert) {
+
+        for (Map.Entry<String,KeyEntry> mapEntry : entries.entrySet()) {
+            KeyEntry entry = mapEntry.getValue();
             if (entry.certChain != null && entry.certChain[0].equals(cert)) {
                 return entry.getAlias();
             }
@@ -755,20 +723,39 @@ abstract class KeyStore extends KeyStoreSpi {
         try {
 
             // Load keys and/or certificate chains
-            loadKeysOrCertificateChains(getName(), entries);
+            loadKeysOrCertificateChains(getName());
 
         } catch (KeyStoreException e) {
             throw new IOException(e);
         }
     }
 
+    /**
+     * Stores the given entry into the map, making sure
+     * the alias, used as the key is unique.
+     * If the same alias already exists, it tries to append
+     * a suffix  (1), (2), etc to it until it finds a unique
+     * value.
+     */
+    private void storeWithUniqueAlias(String alias, KeyEntry entry) {
+        String uniqAlias = alias;
+        int uniqNum = 1;
+
+        while (true) {
+            if (entries.putIfAbsent(uniqAlias, entry) == null) {
+                break;
+            }
+            uniqAlias = alias + " (" + (uniqNum++) + ")";
+        }
+    }
+
+
     /**
      * Generates a certificate chain from the collection of
      * certificates and stores the result into a key entry.
      */
     private void generateCertificateChain(String alias,
-        Collection<? extends Certificate> certCollection,
-        Collection<KeyEntry> entries)
+        Collection<? extends Certificate> certCollection)
     {
         try
         {
@@ -782,10 +769,8 @@ abstract class KeyStore extends KeyStoreSpi {
                 certChain[i] = (X509Certificate) iter.next();
             }
 
-            KeyEntry entry = new KeyEntry(alias, null, certChain);
-
-            // Add cert chain
-            entries.add(entry);
+            storeWithUniqueAlias(alias,
+                    new KeyEntry(alias, null, certChain));
         }
         catch (Throwable e)
         {
@@ -800,8 +785,7 @@ abstract class KeyStore extends KeyStoreSpi {
      */
     private void generateRSAKeyAndCertificateChain(String alias,
         long hCryptProv, long hCryptKey, int keyLength,
-        Collection<? extends Certificate> certCollection,
-        Collection<KeyEntry> entries)
+        Collection<? extends Certificate> certCollection)
     {
         try
         {
@@ -815,11 +799,9 @@ abstract class KeyStore extends KeyStoreSpi {
                 certChain[i] = (X509Certificate) iter.next();
             }
 
-            KeyEntry entry = new KeyEntry(alias, new RSAPrivateKey(hCryptProv,
-                hCryptKey, keyLength), certChain);
-
-            // Add cert chain
-            entries.add(entry);
+            storeWithUniqueAlias(alias, new KeyEntry(alias,
+                    new RSAPrivateKey(hCryptProv, hCryptKey, keyLength),
+                    certChain));
         }
         catch (Throwable e)
         {
@@ -876,8 +858,8 @@ abstract class KeyStore extends KeyStoreSpi {
      * @param name Name of keystore.
      * @param entries Collection of key/certificate.
      */
-    private native void loadKeysOrCertificateChains(String name,
-        Collection<KeyEntry> entries) throws KeyStoreException;
+    private native void loadKeysOrCertificateChains(String name)
+            throws KeyStoreException;
 
     /**
      * Stores a DER-encoded certificate into the certificate store

src/windows/native/sun/security/mscapi/security.cpp

 /*
- * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -266,7 +266,7 @@ JNIEXPORT jbyteArray JNICALL Java_sun_security_mscapi_PRNG_generateSeed
  * Signature: (Ljava/lang/String;Ljava/util/Collection;)V
  */
 JNIEXPORT void JNICALL Java_sun_security_mscapi_KeyStore_loadKeysOrCertificateChains
-  (JNIEnv *env, jobject obj, jstring jCertStoreName, jobject jCollections)
+  (JNIEnv *env, jobject obj, jstring jCertStoreName)
 {
     /**
      * Certificate in cert store has enhanced key usage extension
@@ -325,7 +325,7 @@ JNIEXPORT void JNICALL Java_sun_security_mscapi_KeyStore_loadKeysOrCertificateCh
         // Determine method ID to generate certificate chain
         jmethodID mGenCertChain = env->GetMethodID(clazzOfThis,
                                                    "generateCertificateChain",
-                                                   "(Ljava/lang/String;Ljava/util/Collection;Ljava/util/Collection;)V");
+                                                   "(Ljava/lang/String;Ljava/util/Collection;)V");
         if (mGenCertChain == NULL) {
             __leave;
         }
@@ -333,7 +333,7 @@ JNIEXPORT void JNICALL Java_sun_security_mscapi_KeyStore_loadKeysOrCertificateCh
         // Determine method ID to generate RSA certificate chain
         jmethodID mGenRSAKeyAndCertChain = env->GetMethodID(clazzOfThis,
                                                    "generateRSAKeyAndCertificateChain",
-                                                   "(Ljava/lang/String;JJILjava/util/Collection;Ljava/util/Collection;)V");
+                                                   "(Ljava/lang/String;JJILjava/util/Collection;)V");
         if (mGenRSAKeyAndCertChain == NULL) {
             __leave;
         }
@@ -360,38 +360,37 @@ JNIEXPORT void JNICALL Java_sun_security_mscapi_KeyStore_loadKeysOrCertificateCh
             } else {
                 // Private key is available
 
-            BOOL bGetUserKey = ::CryptGetUserKey(hCryptProv, dwKeySpec, &hUserKey);
+                BOOL bGetUserKey = ::CryptGetUserKey(hCryptProv, dwKeySpec, &hUserKey);
 
-            // Skip certificate if cannot find private key
-            if (bGetUserKey == FALSE)
-            {
-                if (bCallerFreeProv)
-                    ::CryptReleaseContext(hCryptProv, NULL);
+                // Skip certificate if cannot find private key
+                if (bGetUserKey == FALSE)
+                {
+                    if (bCallerFreeProv)
+                        ::CryptReleaseContext(hCryptProv, NULL);
 
-                continue;
-            }
+                    continue;
+                }
 
-            // Set cipher mode to ECB
-            DWORD dwCipherMode = CRYPT_MODE_ECB;
-            ::CryptSetKeyParam(hUserKey, KP_MODE, (BYTE*)&dwCipherMode, NULL);
+                // Set cipher mode to ECB
+                DWORD dwCipherMode = CRYPT_MODE_ECB;
+                ::CryptSetKeyParam(hUserKey, KP_MODE, (BYTE*)&dwCipherMode, NULL);
 
 
-            // If the private key is present in smart card, we may not be able to
-            // determine the key length by using the private key handle. However,
-            // since public/private key pairs must have the same length, we could
-            // determine the key length of the private key by using the public key
-            // in the certificate.
-            dwPublicKeyLength = ::CertGetPublicKeyLength(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
-                                                               &(pCertContext->pCertInfo->SubjectPublicKeyInfo));
+                // If the private key is present in smart card, we may not be able to
+                // determine the key length by using the private key handle. However,
+                // since public/private key pairs must have the same length, we could
+                // determine the key length of the private key by using the public key
+                // in the certificate.
+                dwPublicKeyLength = ::CertGetPublicKeyLength(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+                        &(pCertContext->pCertInfo->SubjectPublicKeyInfo));
 
-}
+            }
             PCCERT_CHAIN_CONTEXT pCertChainContext = NULL;
 
             // Build certificate chain by using system certificate store.
             // Add cert chain into collection for any key usage.
             //
-            if (GetCertificateChain(OID_EKU_ANY, pCertContext,
-                &pCertChainContext))
+            if (GetCertificateChain(OID_EKU_ANY, pCertContext, &pCertChainContext))
             {
 
                 for (unsigned int i=0; i < pCertChainContext->cChain; i++)
@@ -450,26 +449,26 @@ JNIEXPORT void JNICALL Java_sun_security_mscapi_KeyStore_loadKeysOrCertificateCh
                         // collection
                         env->CallVoidMethod(obj, mGenCertChain,
                             env->NewStringUTF(pszNameString),
-                            jArrayList, jCollections);
+                            jArrayList);
                     }
                     else
                     {
-                    // Determine key type: RSA or DSA
-                    DWORD dwData = CALG_RSA_KEYX;
-                    DWORD dwSize = sizeof(DWORD);
-                    ::CryptGetKeyParam(hUserKey, KP_ALGID, (BYTE*)&dwData,
-                        &dwSize, NULL);
-
-                    if ((dwData & ALG_TYPE_RSA) == ALG_TYPE_RSA)
-                    {
-                        // Generate RSA certificate chain and store into cert
-                        // chain collection
-                        env->CallVoidMethod(obj, mGenRSAKeyAndCertChain,
-                            env->NewStringUTF(pszNameString),
-                            (jlong) hCryptProv, (jlong) hUserKey,
-                            dwPublicKeyLength, jArrayList, jCollections);
+                        // Determine key type: RSA or DSA
+                        DWORD dwData = CALG_RSA_KEYX;
+                        DWORD dwSize = sizeof(DWORD);
+                        ::CryptGetKeyParam(hUserKey, KP_ALGID, (BYTE*)&dwData,
+                                &dwSize, NULL);
+
+                        if ((dwData & ALG_TYPE_RSA) == ALG_TYPE_RSA)
+                        {
+                            // Generate RSA certificate chain and store into cert
+                            // chain collection
+                            env->CallVoidMethod(obj, mGenRSAKeyAndCertChain,
+                                    env->NewStringUTF(pszNameString),
+                                    (jlong) hCryptProv, (jlong) hUserKey,
+                                    dwPublicKeyLength, jArrayList);
+                        }
                     }
-}
                 }
 
                 // Free cert chain

test/sun/security/mscapi/CastError.java

+/*
+ * Copyright (c) 2015 Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+
+/**
+ * @test
+ * @bug 8143913
+ * @requires os.family == "windows"
+ * @summary MSCAPI keystore should accept Certificate[] in setEntry()
+ */
+
+public class CastError {
+    public static void main(String[] args) throws Exception {
+        KeyStore ks = KeyStore.getInstance("JKS");
+        FileInputStream fis = new FileInputStream(
+                new File(System.getProperty("test.src"),
+                        "../tools/jarsigner/JarSigning.keystore"));
+        ks.load(fis, "bbbbbb".toCharArray());
+
+        PrivateKey pk = (PrivateKey) ks.getKey("c", "bbbbbb".toCharArray());
+        Certificate cert = ks.getCertificate("c");
+
+        ks = KeyStore.getInstance("Windows-MY");
+        ks.load(null, null);
+
+        ks.setKeyEntry("8143913", pk, null, new Certificate[]{cert});
+        ks.deleteEntry("8143913");
+    }
+}

test/sun/security/mscapi/nonUniqueAliases/NonUniqueAliases.sh

+#!/bin/sh
+
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+
+# @test
+# @ignore Uses certutil.exe that isn't guaranteed to be installed
+# @bug 6483657
+# @requires os.family == "windows"
+# @run shell NonUniqueAliases.sh
+# @summary Test "keytool -list" displays correcly same named certificates
+
+# set a few environment variables so that the shell-script can run stand-alone
+# in the source directory
+if [ "${TESTSRC}" = "" ] ; then
+   TESTSRC="."
+fi
+
+if [ "${TESTCLASSES}" = "" ] ; then
+   TESTCLASSES="."
+fi
+
+if [ "${TESTJAVA}" = "" ] ; then
+   echo "TESTJAVA not set.  Test cannot execute."
+   echo "FAILED!!!"
+   exit 1
+fi
+
+OS=`uname -s`
+case "$OS" in
+    Windows* | CYGWIN* )
+
+        # 'uname -m' does not give us enough information -
+        #  should rely on $PROCESSOR_IDENTIFIER (as is done in Defs-windows.gmk),
+        #  but JTREG does not pass this env variable when executing a shell script.
+        #
+        #  execute test program - rely on it to exit if platform unsupported
+
+        echo "removing the alias NonUniqueName if it already exists"
+        certutil -user -delstore MY NonUniqueName
+
+        echo "Importing 1st certificate into MY keystore using certutil tool"
+        certutil -user -addstore MY ${TESTSRC}/nonUniq1.pem
+
+        echo "Importing 2nd certificate into MY keystore using certutil tool"
+        certutil -user -addstore MY ${TESTSRC}/nonUniq2.pem
+
+        echo "Listing certificates with keytool"
+        ${TESTJAVA}/bin/keytool ${TESTTOOLVMOPTS} -list -storetype Windows-My
+
+        echo "Counting expected entries"
+        count0=`${TESTJAVA}/bin/keytool ${TESTTOOLVMOPTS} -list -storetype Windows-My | grep 'NonUniqueName,' | wc -l`
+
+        if [ ! $count0 = 1 ]; then
+            echo "error: unexpected number of entries ($count0) in the Windows-MY store"
+            certutil -user -delstore MY NonUniqueName
+            exit 115
+        fi
+
+        echo "Counting expected entries"
+        count1=`${TESTJAVA}/bin/keytool ${TESTTOOLVMOPTS} -list -storetype Windows-My | grep 'NonUniqueName (1),' | wc -l`
+
+        if [ ! $count1 = 1 ]; then
+            echo "error: unexpected number of entries ($count1) in the Windows-MY store"
+            certutil -user -delstore MY NonUniqueName
+            exit 116
+        fi
+
+        echo "Cleaning up"
+        certutil -user -delstore MY NonUniqueName
+
+        exit 0
+        ;;
+
+    * )
+        echo "This test is not intended for '$OS' - passing test"
+        exit 0
+        ;;
+esac

test/sun/security/mscapi/nonUniqueAliases/nonUniq1.pem

+-----BEGIN CERTIFICATE-----
+MIIB/jCCAWegAwIBAgIJANy5XBGM4BSuMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNV
+BAMMDU5vblVuaXF1ZU5hbWUwHhcNMTYwNDAxMTcyMjQ0WhcNMTYwNzEwMTcyMjQ0
+WjAYMRYwFAYDVQQDDA1Ob25VbmlxdWVOYW1lMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDI0hlED2YFVgTaVLKWvsqB9JN9EJpUWECkB97fJwb1x99dHf0TO2p6
+HPPvkvjBiAMEZYbojCz+WpNhG1Ilu/UgKwPyHh1pL6kRcEhlS2G3i7p9SDLHWlk0
+xfdhSZERgd6ROpDnY7eaj1CTdVCSyEATs4FFyNtN9Q39jyeCU++ksQIDAQABo1Aw
+TjAdBgNVHQ4EFgQUpW/Wtw/OOTdnFTL7afIkNjuCVr8wHwYDVR0jBBgwFoAUpW/W
+tw/OOTdnFTL7afIkNjuCVr8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOB
+gQAWC+xX1cGNNp3F6dAb5tKKJGgQwsjfrjDP0/AirWc7Im1kTCpVPT61Ayt0bHgH
+n3hGivKmO7ChQAI3QsDMDKWE98tF6afPltBOoWh2a9tPd65JSD1HfkG+Wc1IZ5gL
+8rKp1tdKTEG2A+qXRN/e6DdtMsgDrK1iPfX+rer53TC+Yg==
+-----END CERTIFICATE-----

test/sun/security/mscapi/nonUniqueAliases/nonUniq2.pem

+-----BEGIN CERTIFICATE-----
+MIIB/jCCAWegAwIBAgIJAPyQune5t/SZMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNV
+BAMMDU5vblVuaXF1ZU5hbWUwHhcNMTYwNDAxMTcyMzI0WhcNMTYwNzEwMTcyMzI0
+WjAYMRYwFAYDVQQDDA1Ob25VbmlxdWVOYW1lMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDeSu/pPzL9hA1kjA2Rs13LpN2lNrisbYg/Vj/swGDMJnVCzS3IFQQy
+71515mru+ngrHnfPSo4FKUhZPJzET2D7CruR65SzhQ96SHGoR8rhmL41KRBKELuR
+3MoarLFziFzeIil4NZg55xp6TE/WCXRfi7HNdIgoKQGLoIhehVGN8QIDAQABo1Aw
+TjAdBgNVHQ4EFgQUxFw79pLSf5Ul3zLqi/Mc6pSxEtswHwYDVR0jBBgwFoAUxFw7
+9pLSf5Ul3zLqi/Mc6pSxEtswDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOB
+gQDPilBcFpFrjwqb+lJxDxXK992KjNUS8yFLo1DQ/LBTaoHvy/U5zxzRq+nvSaaf
+h+RIKqTwIbuBhSjrXVdJ/gzob/UlPC7IDo7FVbZwOHqTkqEum8jQEpX67hEevw9s
++reyqGhLsCtQK6uBTd2Nt9uOVCHrWNzWgQewkVYAUM5QpA==
+-----END CERTIFICATE-----