-
Bug
-
Resolution: Fixed
-
P3
-
None
-
None
-
None
keytool has a -cacerts flag to operate on the internal cacerts file (thanks!).
BUT:
keytool still wants a storepass, even though it obviously knows how to read from the cacerts file, and there is little security here since all cacerts files have the same well-known storepass. The keytool docs say """When retrieving information from the keystore, the password is optional. If no password is specified, then the integrity of the retrieved information can't be verified and a warning is displayed."""
BUT:
$ keytool -list -cacerts -storepass bogus
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
It is possible to get the data, but you have to get the prompt, then ENTER (null password) to get the desired output.
$ keytool -list -cacerts
Enter keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 80 entries
...
All of this seems to make no sense. With keytool -cacerts, java should just access the cacerts using whatever means it normally uses (I'm not sure how ... does it hard-code the well-known password?)
BUT:
keytool still wants a storepass, even though it obviously knows how to read from the cacerts file, and there is little security here since all cacerts files have the same well-known storepass. The keytool docs say """When retrieving information from the keystore, the password is optional. If no password is specified, then the integrity of the retrieved information can't be verified and a warning is displayed."""
BUT:
$ keytool -list -cacerts -storepass bogus
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
It is possible to get the data, but you have to get the prompt, then ENTER (null password) to get the desired output.
$ keytool -list -cacerts
Enter keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 80 entries
...
All of this seems to make no sense. With keytool -cacerts, java should just access the cacerts using whatever means it normally uses (I'm not sure how ... does it hard-code the well-known password?)
- relates to
-
-
- Closed
-
-
JDK-8162739 Create new keytool option to access cacerts file
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-