RFR: 8354469: Keytool exposes the password in plain text when command is piped using | grep [v10]

Sean Mullan mullan at openjdk.org
Mon Oct 6 14:53:50 UTC 2025


On Fri, 26 Sep 2025 22:59:32 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Allow password hiding even if there is no `System.console`. A manual test is included.
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
> 
>   update bug list in test

src/java.base/share/classes/sun/security/util/Password.java line 62:

> 60:                     consoleEntered = ConsoleHolder.readPassword();
> 61:                     // readPassword returns "" if you just press ENTER with the built-in Console,
> 62:                     // to be compatible with old Password class, change to null

This is an odd comment - what is the "old Password class"? Maybe you just want to remove the "to be compatible with old Password class" part from this comment.

test/jdk/sun/security/tools/keytool/EchoPassword.java line 1:

> 1: /*

In this test, where are you verifying that a warning is shown when the input is echoed?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/27196#discussion_r2406585327
PR Review Comment: https://git.openjdk.org/jdk/pull/27196#discussion_r2406794334


More information about the client-libs-dev mailing list