8316964: Security tools should not call System.exit

Reviewed-by: valeriep

Author: wangweij

src/java.base/share/classes/sun/security/tools/keytool/Main.java

@@ -405,26 +405,38 @@ public String toString() {
         collator.setStrength(Collator.PRIMARY);
     }
 
-    private Main() { }
-
     public static void main(String[] args) throws Exception {
         Main kt = new Main();
-        kt.run(args, System.out);
+        int exitCode = kt.run(args, System.out);
+        if (exitCode != 0) {
+            System.exit(exitCode);
+        }
+    }
+
+    private static class ExitException extends RuntimeException {
+        @java.io.Serial
+        static final long serialVersionUID = 0L;
+        private final int errorCode;
+        public ExitException(int errorCode) {
+            this.errorCode = errorCode;
+        }
     }
 
-    private void run(String[] args, PrintStream out) throws Exception {
+    public int run(String[] args, PrintStream out) throws Exception {
         try {
-            args = parseArgs(args);
+            parseArgs(args);
             if (command != null) {
                 doCommands(out);
             }
+        } catch (ExitException ee) {
+            return ee.errorCode;
         } catch (Exception e) {
             System.out.println(rb.getString("keytool.error.") + e);
             if (verbose) {
                 e.printStackTrace(System.out);
             }
             if (!debug) {
-                System.exit(1);
+                return 1;
             } else {
                 throw e;
             }
@@ -441,6 +453,7 @@ private void run(String[] args, PrintStream out) throws Exception {
                 ksStream.close();
             }
         }
+        return 0;
     }
 
     /**
@@ -5247,7 +5260,7 @@ private void tinyHelp() {
         if (debug) {
             throw new RuntimeException("NO BIG ERROR, SORRY");
         } else {
-            System.exit(1);
+            throw new ExitException(1);
         }
     }
 

src/java.security.jgss/windows/classes/sun/security/krb5/internal/tools/Kinit.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -92,14 +92,44 @@ public class Kinit {
      */
 
     public static void main(String[] args) {
-        try {
-            Kinit self = new Kinit(args);
+        Kinit kinit = new Kinit();
+        int exitCode = kinit.run(args);
+        if (exitCode != 0) {
+            System.exit(exitCode);
         }
-        catch (Exception e) {
-            String msg = null;
-            if (e instanceof KrbException) {
-                msg = ((KrbException)e).krbErrorMessage() + " " +
-                    ((KrbException)e).returnCodeMessage();
+    }
+
+    /**
+     * Run the Kinit command.
+     * @param args array of ticket request options.
+     * Available options are: -f, -p, -c, principal, password.
+     * @return the exit code
+     */
+    public int run(String[] args) {
+        try {
+            if (args == null || args.length == 0) {
+                options = new KinitOptions();
+            } else {
+                options = new KinitOptions(args);
+            }
+            switch (options.action) {
+                case 0:
+                    // Help, already displayed in new KinitOptions().
+                    break;
+                case 1:
+                    acquire();
+                    break;
+                case 2:
+                    renew();
+                    break;
+                default:
+                    throw new KrbException("kinit does not support action "
+                            + options.action);
+            }
+        } catch (Exception e) {
+            String msg;
+            if (e instanceof KrbException ke) {
+                msg = ke.krbErrorMessage() + " " + ke.returnCodeMessage();
             } else  {
                 msg = e.getMessage();
             }
@@ -109,37 +139,9 @@ public static void main(String[] args) {
                 System.out.println("Exception: " + e);
             }
             e.printStackTrace();
-            System.exit(-1);
-        }
-        return;
-    }
-
-    /**
-     * Constructs a new Kinit object.
-     * @param args array of ticket request options.
-     * Available options are: -f, -p, -c, principal, password.
-     * @exception IOException if an I/O error occurs.
-     * @exception RealmException if the Realm could not be instantiated.
-     * @exception KrbException if error occurs during Kerberos operation.
-     */
-    private Kinit(String[] args)
-        throws IOException, RealmException, KrbException {
-        if (args == null || args.length == 0) {
-            options = new KinitOptions();
-        } else {
-            options = new KinitOptions(args);
-        }
-        switch (options.action) {
-            case 1:
-                acquire();
-                break;
-            case 2:
-                renew();
-                break;
-            default:
-                throw new KrbException("kinit does not support action "
-                        + options.action);
+            return -1;
         }
+        return 0;
     }
 
     private void renew()

src/java.security.jgss/windows/classes/sun/security/krb5/internal/tools/KinitOptions.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -46,7 +46,7 @@
  */
 class KinitOptions {
 
-    // 1. acquire, 2. renew, 3. validate
+    // 0. Help, 1. acquire, 2. renew, 3. validate
     public int action = 1;
 
     // forwardable and proxiable flags have two states:
@@ -143,7 +143,8 @@ public KinitOptions(String[] args)
                        // -help: legacy.
                        args[i].equalsIgnoreCase("-help")) {
                 printHelp();
-                System.exit(0);
+                action = 0;
+                return;
             } else if (p == null) { // Haven't yet processed a "principal"
                 p = args[i];
                 try {