Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8194702

pkcs12 can be loaded with null password but certificates are missing


    • Type: Bug
    • Status: Open
    • Priority: P3
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: security-libs
    • Labels:


      keytool's default keystore type changed from jks to pkcs12.
      BUT the cacerts file is still in jks format (why?)
      There seems to be an attempt at jks/pkcs12 coexistence and compatibility (JEP 319). So the cacerts file should work well if stored in either format. But it only works in jks format. Conversion to pkcs12 format results in silent failure. But accidental conversion to pkcs12 is likely to be common because it's the new keytool default output format.

      You can convert from jks to pkcs12 format as follows:
      $ cd lib/security
      $ cp -p cacerts cacerts.jks
      $ rm -f cacerts; ~/jdk/jdk11/bin/keytool -importkeystore -srckeystore cacerts.jks -srcstorepass changeit -destkeystore cacerts -deststorepass changeit

      # Now the cacerts are broken!
      # Let's specify jks format explicitly:

      rm -f cacerts; ~/jdk/jdk11/bin/keytool -importkeystore -srckeystore cacerts.jks -srcstorepass changeit -destkeystore cacerts -deststorepass changeit -deststoretype jks

      # Now they work again!

      Here's a program that demonstrates the failure and is directly usable as a jtreg test:

       * Copyright (c) 2018 Google Inc. All rights reserved.
       * This code is free software; you can redistribute it and/or modify it
       * under the terms of the GNU General Public License version 2 only, as
       * published by the Free Software Foundation.
       * This code is distributed in the hope that it will be useful, but WITHOUT
       * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
       * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
       * version 2 for more details (a copy is included in the LICENSE file that
       * accompanied this code).
       * You should have received a copy of the GNU General Public License version
       * 2 along with this work; if not, write to the Free Software Foundation,
       * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
       * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
       * or visit www.oracle.com if you need additional information or have any
       * questions.

      import java.security.KeyStore;
      import java.security.cert.X509Certificate;
      import java.util.Arrays;
      import javax.net.ssl.TrustManager;
      import javax.net.ssl.TrustManagerFactory;
      import javax.net.ssl.X509TrustManager;

       * @test
       * @summary Sanity check trust manager defaults/cacerts.

       * Explores the set of root certificates.
       * Useful as a standalone program.
       * Prior to JEP 319, completely stock openjdk fails this because no
       * root certificates were checked into the repo.
      public class CacertsExplorer {
          public static void main(String[] args) throws Throwable {
              String defaultAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
              if (!defaultAlgorithm.equals("PKIX"))
                  throw new AssertionError(
                      "Expected default algorithm PKIX, got " + defaultAlgorithm);

              TrustManagerFactory trustManagerFactory =
              trustManagerFactory.init((KeyStore) null);
              TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
              if (trustManagers.length != 1)
                  throw new AssertionError(
                      "Expected exactly one TrustManager, got "
                      + Arrays.toString(trustManagers));
              X509TrustManager trustManager = (X509TrustManager) trustManagers[0];

              X509Certificate[] acceptedIssuers = trustManager.getAcceptedIssuers();
              if (acceptedIssuers.length == 0)
                  throw new AssertionError(
                      "no accepted issuers - cacerts file configuration problem?");


          Issue Links



              • Assignee:
                rhalade Rajan Halade
                martin Martin Buchholz
              • Votes:
                0 Vote for this issue
                4 Start watching this issue


                • Created: