JDK-8163354 : keytool/jarsigner should print out warning messages or fail when -storepass is not provided to a pkcs12 keystore
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: tbd_major
  • Priority: P4
  • Status: Closed
  • Resolution: Won't Fix
  • Submitted: 2016-08-08
  • Updated: 2022-02-04
  • Resolved: 2022-02-04
Related Reports
Relates :  
JDK-8162628 - The CACERTS keystore type
Description
For a JKS keystore, the store password is only for integrity check and reading certificates is allowed without it. For a PKCS12 keystore, this is not true.

This has lead to some confusing output in our security tools when -storepass is not provided and the keystore is pkcs12 (which is the current default storetype). For example:

1. "keytool -export" says an entry has no certificate.

$ keytool -export
Enter keystore password:

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

keytool error: java.lang.Exception: Alias <mykey> has no certificate

2. "jarsigner -verify -verbose -certs" cannot pin a signer to a keystore entry, i.e. no "k" flag.

$ jarsigner a.jar -verify -verbose -certs -keystore ks.p12
....
sm      2626 Wed Jul 06 11:46:28 CST 2016 A.class
....
  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore

jar verified.