JDK-8339347 : keytool -importpass insists prompting the user even if there is no terminal
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 22
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2024-08-30
  • Updated: 2024-09-16
  • Resolved: 2024-09-05
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 24
24 b15Fixed
Related Reports
Relates :  
JDK-8308591 - JLine as the default Console provider
Description
There is a behavior change in keytool somewhere between JDK 8 and JDK 22.

This keytool command used to work in order to build a p12 file but now it’s attempting to prompt in JDK 22; is there a new flag to use instead?

echo "<CLIENT_SECRET>" | keytool -importpass -storetype pkcs12 -alias "<CLIENT_ID>" -keystore "test.p12" -storepass "<store pass>"

Example: 
echo "2222" | keytool -importpass -storetype pkcs12 -alias "1111" -keystore "test.p12" -storepass "mypass"
Enter the password to be stored:  Re-enter password: They don't match. Try again
Enter the password to be stored:  Re-enter password:

When run in JDK 8

Example:

echo "2222" | /Library/Java/JavaVirtualMachines/jdk-1.8.jdk/Contents/Home/bin/keytool -importpass -storetype pkcs12 -alias "1111" -keystore "test.p12" -storepass "mypass"

No output file is just created properly
Comments
Changeset: 8fb8cd85 Branch: master Author: Hai-May Chao <hchao@openjdk.org> Date: 2024-09-05 20:17:52 +0000 URL: https://git.openjdk.org/jdk/commit/8fb8cd85b7bd2e004329b4968f9564f340002cc1
05-09-2024
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/20855 Date: 2024-09-04 16:10:50 +0000
04-09-2024
A short term solution would be to change make/modules/java.base/Launcher.gmk so that keytool is built with JAVA_ARGS=-Djdk.console=java.base. Another thing to to quickly try is for keytool to use Console::isTerminal to test if the console is connected to a "terminal".
31-08-2024
In keytool, if there is a console it will prompts for the password; otherwise, just read from System.in. Since 22, Console implementation using JLine became the default which always returns the instance. See: https://bugs.openjdk.org/browse/JDK-8309141 In order for an app to determine if an interactive terminal is attached or not is to call System.console().isTerminal(), instead of System.console() != null. Note that Console uses a provider mechanism (by a system property `jdk.console=<console module>`), and some implementation may return null for `System.console()`.
30-08-2024