JDK-8193171 : keytool -list displays "JKS" for a PKCS12 keystore.
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8u152
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2017-12-05
  • Updated: 2019-01-14
  • Resolved: 2018-05-01
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8
8u192 b01Fixed
Related Reports
Relates :  
Description
FULL PRODUCT VERSION :


ADDITIONAL OS VERSION INFORMATION :
Mac OS X and others

A DESCRIPTION OF THE PROBLEM :
You can have a look for yourself at https://stackoverflow.com/q/47638950/238704, and the answer at https://stackoverflow.com/a/47640052/238704.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
See https://stackoverflow.com/a/47640052/238704.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I expected the output to be
...
Keystore type: PKCS12
...
ACTUAL -
...
Keystore type: JKS
...

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
The workaround is to ignore the incorrect text.


Comments
Since we cannot simply backport JDK-8192987 to fix this, I've unassigned myself. The following hack seems to work, but I'll leave to the final assignee of this bug to determine if it has any undesirable affect. diff --git a/src/share/classes/sun/security/tools/keytool/Main.java b/src/share/classes/sun/security/tools/keytool/Main.java --- a/src/share/classes/sun/security/tools/keytool/Main.java +++ b/src/share/classes/sun/security/tools/keytool/Main.java @@ -27,6 +27,7 @@ import java.io.*; import java.nio.file.Files; +import java.nio.file.Path; import java.nio.file.Paths; import java.security.CodeSigner; import java.security.CryptoPrimitive; @@ -594,6 +595,23 @@ void doCommands(PrintStream out) throws Exception { if (storetype == null) { storetype = KeyStore.getDefaultType(); + if (storetype.equalsIgnoreCase("JKS")) { + if (ksfname == null) { + ksfname = System.getProperty("user.home") + File.separator + + ".keystore"; + } + Path path = Paths.get(ksfname); + if (Files.exists(path)) { + try (InputStream is = Files.newInputStream(path)) { + DataInputStream dis = new DataInputStream(is); + if (dis.readInt() != 0xfeedfeed) { + storetype = "pkcs12"; + } + } catch (IOException ioe) { + // Ignored + } + } + } } storetype = KeyStoreUtil.niceStoreTypeName(storetype);
08-12-2017

There are too many codes behind probing, I think we can just add a few lines into keytool so that 1. If -storetype is not specified 2. If the keystore file exists and does not starts with FEEDFEED 3. Then set storetype = "pkcs12"
08-12-2017

With all the recent KeyStore changes, keytool's default storetype should be "unknown" or "probed" now. KeyStore.getDefaultType() should only be used when creating a new keystore. I am working on a similar bug now (JDK-8192987) which should help.
07-12-2017

It's actually a PKCS12 keystore. If you instead run "keytool -list -keystore server.private1 -storetype pkcs12" it should print pkcs12. The reason it prints JKS is because no storetype has been specified, and the default storetype is still jks in JDK 8 and the compatibility mode allows JKS keystores to read PKCS12 keystores and vice-versa. This is all quite confusing though for the user. In JDK 9, keytool uses the KeyStore.getInstance(File, ...) API which can probe the underlying keystore and determine the type without the user having to specify it. However, that API is not in JDK 8. [~weijun] can this somehow be fixed by adding an internal API to keytool to probe the underlying keystore?
07-12-2017

D:\>java -version java version "1.8.0_151" Java(TM) SE Runtime Environment (build 1.8.0_151-b12) Java HotSpot(TM) 64-Bit Server VM (build 25.151-b12, mixed mode) D:\>keytool -list -keystore server.private1 Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry serverprivate1, Dec 7, 2017, PrivateKeyEntry, Certificate fingerprint (SHA1): 55:B0:8B:3D:A6:06:29:C7:CD:19:2E:9C:7E:94:5B:FA:0D:69:0F:FC Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore server.private1 -destkeystore server.private1 -deststoretype pkcs12". ========================================================================================================== D:\>keytool -importkeystore -srckeystore server.private1 -destkeystore server.private1 -deststoretype pkcs12 Enter source keystore password: Entry for alias serverprivate1 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled Warning: Migrated "server.private1" to Non JKS/JCEKS. The JKS keystore is backed up as "server.private1.old". ========================================================================================================== D:\>keytool -list -keystore server.private1 Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry serverprivate1, Dec 7, 2017, PrivateKeyEntry, Certificate fingerprint (SHA1): 55:B0:8B:3D:A6:06:29:C7:CD:19:2E:9C:7E:94:5B:FA:0D:69:0F:FC
07-12-2017