Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8163354

keytool/jarsigner should print out warning messages or fail when -storepass is not provided to a pkcs12 keystore

    XMLWordPrintable

    Details

    • Type: Enhancement
    • Status: Open
    • Priority: P4
    • Resolution: Unresolved
    • Affects Version/s: tbd_major
    • Fix Version/s: None
    • Component/s: security-libs
    • Labels:
      None

      Description

      For a JKS keystore, the store password is only for integrity check and reading certificates is allowed without it. For a PKCS12 keystore, this is not true.

      This has lead to some confusing output in our security tools when -storepass is not provided and the keystore is pkcs12 (which is the current default storetype). For example:

      1. "keytool -export" says an entry has no certificate.

      $ keytool -export
      Enter keystore password:

      ***************** WARNING WARNING WARNING *****************
      * The integrity of the information stored in your keystore *
      * has NOT been verified! In order to verify its integrity, *
      * you must provide your keystore password. *
      ***************** WARNING WARNING WARNING *****************

      keytool error: java.lang.Exception: Alias <mykey> has no certificate

      2. "jarsigner -verify -verbose -certs" cannot pin a signer to a keystore entry, i.e. no "k" flag.

      $ jarsigner a.jar -verify -verbose -certs -keystore ks.p12
      ....
      sm 2626 Wed Jul 06 11:46:28 CST 2016 A.class
      ....
        s = signature was verified
        m = entry is listed in manifest
        k = at least one certificate was found in keystore

      jar verified.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              weijun Weijun Wang
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: