8266220: keytool still prompt for store password on a password-less pkcs12 file if -storetype pkcs12 is specified
Reviewed-by: coffeys, hchao
diff --git a/src/java.base/share/classes/sun/security/tools/keytool/Main.java b/src/java.base/share/classes/sun/security/tools/keytool/Main.java
index 4badb69..940cbdc 100644
--- a/src/java.base/share/classes/sun/security/tools/keytool/Main.java
+++ b/src/java.base/share/classes/sun/security/tools/keytool/Main.java
@@ -933,16 +933,27 @@
}
}
- // Create new keystore
- // Probe for keystore type when filename is available
if (ksfile != null && ksStream != null && providerName == null &&
- storetype == null && !inplaceImport) {
- keyStore = KeyStore.getInstance(ksfile, storePass);
- storetype = keyStore.getType();
+ !inplaceImport) {
+ // existing keystore
+ if (storetype == null) {
+ // Probe for keystore type when filename is available
+ keyStore = KeyStore.getInstance(ksfile, storePass);
+ storetype = keyStore.getType();
+ } else {
+ keyStore = KeyStore.getInstance(storetype);
+ // storePass might be null here, will probably prompt later
+ keyStore.load(ksStream, storePass);
+ }
if (storetype.equalsIgnoreCase("pkcs12")) {
- isPasswordlessKeyStore = PKCS12KeyStore.isPasswordless(ksfile);
+ try {
+ isPasswordlessKeyStore = PKCS12KeyStore.isPasswordless(ksfile);
+ } catch (IOException ioe) {
+ // This must be a JKS keystore that's opened as a PKCS12
+ }
}
} else {
+ // Create new keystore
if (storetype == null) {
storetype = KeyStore.getDefaultType();
}
@@ -985,11 +996,9 @@
if (inplaceImport) {
keyStore.load(null, storePass);
} else {
+ // both ksStream and storePass could be null
keyStore.load(ksStream, storePass);
}
- if (ksStream != null) {
- ksStream.close();
- }
}
}
@@ -1086,9 +1095,10 @@
if (nullStream) {
keyStore.load(null, storePass);
} else if (ksStream != null) {
- ksStream = new FileInputStream(ksfile);
- keyStore.load(ksStream, storePass);
- ksStream.close();
+ // Reload with user-provided password
+ try (FileInputStream fis = new FileInputStream(ksfile)) {
+ keyStore.load(fis, storePass);
+ }
}
}
diff --git a/test/jdk/sun/security/tools/keytool/PKCS12Passwd.java b/test/jdk/sun/security/tools/keytool/PKCS12Passwd.java
index 26a2bf5..e5a60b5 100644
--- a/test/jdk/sun/security/tools/keytool/PKCS12Passwd.java
+++ b/test/jdk/sun/security/tools/keytool/PKCS12Passwd.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2017, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2017, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
/*
* @test
- * @bug 8192988
+ * @bug 8192988 8266220
* @summary keytool should support -storepasswd for pkcs12 keystores
* @library /test/lib
* @build jdk.test.lib.SecurityTools
@@ -134,6 +134,21 @@
.shouldHaveExitValue(0);
check("jks", "newpass", "newerpass");
+
+ // A password-less keystore
+ ktFull("-keystore nopass -genkeypair -keyalg EC "
+ + "-storepass changeit -alias no -dname CN=no "
+ + "-J-Dkeystore.pkcs12.certProtectionAlgorithm=NONE "
+ + "-J-Dkeystore.pkcs12.macAlgorithm=NONE")
+ .shouldHaveExitValue(0);
+
+ ktFull("-keystore nopass -list")
+ .shouldHaveExitValue(0)
+ .shouldNotContain("Enter keystore password:");
+
+ ktFull("-keystore nopass -list -storetype pkcs12")
+ .shouldHaveExitValue(0)
+ .shouldNotContain("Enter keystore password:");
}
// Makes sure we can load entries in a keystore
