Skip to content
Permalink
Browse files
8266220: keytool still prompt for store password on a password-less p…
…kcs12 file if -storetype pkcs12 is specified

Reviewed-by: coffeys, hchao
  • Loading branch information
wangweij committed Apr 30, 2021
1 parent 87de5b7 commit 48bb996ac9098fc33f6d52e2af15448b12a19572
Showing 2 changed files with 39 additions and 14 deletions.
@@ -933,16 +933,27 @@ void doCommands(PrintStream out) throws Exception {
}
}

// Create new keystore
// Probe for keystore type when filename is available
if (ksfile != null && ksStream != null && providerName == null &&
storetype == null && !inplaceImport) {
keyStore = KeyStore.getInstance(ksfile, storePass);
storetype = keyStore.getType();
!inplaceImport) {
// existing keystore
if (storetype == null) {
// Probe for keystore type when filename is available
keyStore = KeyStore.getInstance(ksfile, storePass);
storetype = keyStore.getType();
} else {
keyStore = KeyStore.getInstance(storetype);
// storePass might be null here, will probably prompt later
keyStore.load(ksStream, storePass);
}
if (storetype.equalsIgnoreCase("pkcs12")) {
isPasswordlessKeyStore = PKCS12KeyStore.isPasswordless(ksfile);
try {
isPasswordlessKeyStore = PKCS12KeyStore.isPasswordless(ksfile);
} catch (IOException ioe) {
// This must be a JKS keystore that's opened as a PKCS12
}
}
} else {
// Create new keystore
if (storetype == null) {
storetype = KeyStore.getDefaultType();
}
@@ -985,11 +996,9 @@ void doCommands(PrintStream out) throws Exception {
if (inplaceImport) {
keyStore.load(null, storePass);
} else {
// both ksStream and storePass could be null
keyStore.load(ksStream, storePass);
}
if (ksStream != null) {
ksStream.close();
}
}
}

@@ -1086,9 +1095,10 @@ && isKeyStoreRelated(command)
if (nullStream) {
keyStore.load(null, storePass);
} else if (ksStream != null) {
ksStream = new FileInputStream(ksfile);
keyStore.load(ksStream, storePass);
ksStream.close();
// Reload with user-provided password
try (FileInputStream fis = new FileInputStream(ksfile)) {
keyStore.load(fis, storePass);
}
}
}

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2017, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2017, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@

/*
* @test
* @bug 8192988
* @bug 8192988 8266220
* @summary keytool should support -storepasswd for pkcs12 keystores
* @library /test/lib
* @build jdk.test.lib.SecurityTools
@@ -134,6 +134,21 @@ public static void main(String[] args) throws Exception {
.shouldHaveExitValue(0);

check("jks", "newpass", "newerpass");

// A password-less keystore
ktFull("-keystore nopass -genkeypair -keyalg EC "
+ "-storepass changeit -alias no -dname CN=no "
+ "-J-Dkeystore.pkcs12.certProtectionAlgorithm=NONE "
+ "-J-Dkeystore.pkcs12.macAlgorithm=NONE")
.shouldHaveExitValue(0);

ktFull("-keystore nopass -list")
.shouldHaveExitValue(0)
.shouldNotContain("Enter keystore password:");

ktFull("-keystore nopass -list -storetype pkcs12")
.shouldHaveExitValue(0)
.shouldNotContain("Enter keystore password:");
}

// Makes sure we can load entries in a keystore

1 comment on commit 48bb996

@openjdk-notifier
Copy link

@openjdk-notifier openjdk-notifier bot commented on 48bb996 Apr 30, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.