Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8274862

Allow store password to be null when saving a PKCS12 KeyStore

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P3 P3
    • 18
    • security-libs
    • None
    • behavioral
    • low
    • Hide
      Before this change, when storing a PKCS12 keystore with a null password, it's equivalent to storing it with an empty password. Such a keystore can only be loaded successfully with `new char[0]` as the password (with or without this change). After this change, storing a PKCS12 keystore with a null password will create a password-less keystore and can be loaded successfully with any password (including null).
      Show
      Before this change, when storing a PKCS12 keystore with a null password, it's equivalent to storing it with an empty password. Such a keystore can only be loaded successfully with `new char[0]` as the password (with or without this change). After this change, storing a PKCS12 keystore with a null password will create a password-less keystore and can be loaded successfully with any password (including null).
    • File or wire format
    • SE

      Summary

      When calling KeyStore.store(outStream, password) on a PKCS12 KeyStore with a null password, store it as a password-less PKCS12 file where certificates are not encrypted and no MacData is added for integrity protection.

      Problem

      It's not easy to create a password-less PKCS12 KeyStore. One has to modify the java.security file or set certain system properties. It's also impossible to save an existing non password-less PKCS12 keystore as a password-less PKCS12 keystore (in a different file).

      Solution

      When calling KeyStore.store(outStream, password) on a PKCS12 KeyStore with a null password, store it as a password-less PKCS12 file no matter if the original keystore is password-less or not, or whatever system and security properties are set.

      Specification

      Make these clarifications in src/java.base/share/classes/java/security/KeyStore.java.

      The class spec:

      @@ -170,6 +172,17 @@
      + * <p> Several methods such as {@code store} and {@code setKeyEntry} take
      + * a password parameter that is commonly used to provide protection such
      + * as an integrity check on the keystore or encryption of a key entry.
      + * However, this behavior is optional and implementation-specific.
      + * If a keystore type does not support or require these features,
      + * a {@code null} password can be provided to these methods.
      + * For example, if {@code setKeyEntry()} is called with a {@code null}
      + * password to store a key unprotected, the entry can be then extracted
      + * by {@code getKey()} with a {@code null} password.

      The method spec:

           /*
            * ....
      -     * @param password the password to generate the keystore integrity check
      +     * @param password the password to generate the keystore integrity check.
      +     *                 May be {@code null} if the keystore does not support
      +     *                 or require an integrity check.
            * ....
            */
           public final void store(OutputStream stream, char[] password)
               throws KeyStoreException, IOException, NoSuchAlgorithmException,
                   CertificateException;

      Same words added to the engineStore(OutputStream stream, char[] password) method of src/java.base/share/classes/java/security/KeyStoreSpi.java.

            weijun Weijun Wang
            webbuggrp Webbug Group
            Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: