JDK-8202917 : keytool should not echo keystore password when output piped through grep
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8,9,10,11
  • Priority: P4
  • Status: Closed
  • Resolution: Won't Fix
  • OS: os_x
  • CPU: x86
  • Submitted: 2018-05-09
  • Updated: 2025-04-21
  • Resolved: 2018-05-17
Related Reports
Relates :  
JDK-8354469 - Keytool exposes the password in plain text when command is piped using | grep
Description
ADDITIONAL SYSTEM INFORMATION :
Mac OS X, Java 1.8.0_172 and previous versions (also happens in debian-based linux systems)

A DESCRIPTION OF THE PROBLEM :
When keytool output is piped through grep (for instance to discover if a particular alias exists within the keystore) the password masking is disabled and the typed-in password is seen as plain text.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Execute a command similar to the following: 

$ sudo keytool -list -keystore ./lib/security/cacerts|grep somealias

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
When a password to the keystore is typed in, no characters are seen.
ACTUAL -
When a password to the keystore is typed in, it is seen in clear-text.

FREQUENCY : always
Comments
The Console class was designed to serve the command line "interactive" communication with the assumption that both std in and out are not re-directed, and the implementation is built on top the both std in and out. There is no easy workaround unless re-visiting the design assumption to separate the std in and out since the "echo" command itself actually belongs to the std in only.
17-05-2018
Another example when password is visible is while redirecting output of keystore to a file. JDK 8u172- Fail JDK 10.0.1 - Fail JDK 11-ea+10 - Fail
10-05-2018