For a JKS keystore, the store password is only for integrity check and reading certificates is allowed without it. For a PKCS12 keystore, this is not true.

This has lead to some confusing output in our security tools when -storepass is not provided and the keystore is pkcs12 (which is the current default storetype). For example:

1. "keytool -export" says an entry has no certificate.

$ keytool -export
Enter keystore password:

***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************

keytool error: java.lang.Exception: Alias <mykey> has no certificate

2. "jarsigner -verify -verbose -certs" cannot pin a signer to a keystore entry, i.e. no "k" flag.

$ jarsigner a.jar -verify -verbose -certs -keystore ks.p12
....
sm 2626 Wed Jul 06 11:46:28 CST 2016 A.class
....
  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore

jar verified.