The default implementation of KeyStoreSpi.engineLoad(LoadStoreParameter) casts the wrong object if a SimpleLoadStoreParameter with a PasswordProtection is used. This results in a ClassCastException at runtime.

This case only occurs if the KeyStore.Builder.newInstance(String, Provider, ProtectionParameter) method is used with a KeyStore implementation that does not override the above-mentioned engineLoad() method. Since this Builder variant is intended for token based providers, and token based providers are presumed to explicitly override the engineLoad() API, the effect of this bug should be minimal.