code review request: 7047200: keytool safe store (was Misleading error message)

Weijun Wang weijun.wang at oracle.com
Thu Sep 8 02:13:05 PDT 2011


Bug weblink: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7047200
Webrev: http://cr.openjdk.java.net/~weijun/7047200/webrev.00/

The original bug report is a false report. However, because of a simple 
input error, the keystore file is damaged permanently. This is 
definitely not a nice user experience.

The fix stores the keystore content to a byte array first before writing 
it to a file. An alternative way would be store the content to a new 
file name and then do a remove-and-rename, but since keystore files are 
normally small, it's not worth trying.

Thanks
Max

On 06/29/2011 08:50 AM, weijun.wang at oracle.com wrote:
> 7047200: keytool safe store (was Misleading error message)
>
>
> === *Description* ============================================================
> FULL PRODUCT VERSION :
> java version "1.6.0_25"
> Java(TM) SE Runtime Environment (build 1.6.0_25-b06)
> Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing)
>
> ADDITIONAL OS VERSION INFORMATION :
> Microsoft Windows XP [Version 5.1.2600]
> (C) Copyright 1985-2001 Microsoft Corp.
>
> A DESCRIPTION OF THE PROBLEM :
> Why is an error being generated after I key in the password twice?
>
> REGRESSION.  Last worked in version 6u25
>
> STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
> Command Line
> Microsoft Windows XP [Version 5.1.2600]
> (C) Copyright 1985-2001 Microsoft Corp.
>
> C:\Documents and Settings\Jon>keytool -genkeypair -v -protected -alias jon -file
> certif.file
> What is your first and last name?
> [Unknown]: Jon C.
> What is the name of your organizational unit?
> [Unknown]: @Jon's
> What is the name of your organization?
> [Unknown]: @Jon's
> What is the name of your City or Locality?
> [Unknown]: Birkirkara
> What is the name of your State or Province?
> [Unknown]: Malta(EU)
> What is the two-letter country code for this unit?
> [Unknown]: MT
> Is CN=Jon C., OU=@Jon's, O=@Jon's, L=Birkirkara, ST=Malta(EU), C=MT correct?
> [no]: yes
>
> Generating 1,024 bit DSA key pair and self-signed certificate (SHA1withDSA) with
> a validity of 90 days
> for: CN=Jon C., OU=@Jon's, O=@Jon's, L=Birkirkara, ST=Malta(EU), C=MT
> Enter key password for<jon>
> (RETURN if same as keystore password):
> Re-enter new password:
> [Storing C:\Documents and Settings\Jon\.keystore]
>
>
> EXPECTED VERSUS ACTUAL BEHAVIOR :
> EXPECTED -
> PKI should be generated
> ACTUAL -
> Error message is displayed.
>
> ERROR MESSAGES/STACK TRACES THAT OCCUR :
> keytool error: java.lang.IllegalArgumentException: password can't be null
> java.lang.IllegalArgumentException: password can't be null
> at sun.security.provider.JavaKeyStore.engineStore(JavaKeyStore.java:508)
>
> at sun.security.provider.JavaKeyStore$JKS.engineStore(JavaKeyStore.java:
> 38)
> at java.security.KeyStore.store(KeyStore.java:1117)
> at sun.security.tools.KeyTool.doCommands(KeyTool.java:901)
> at sun.security.tools.KeyTool.run(KeyTool.java:171)
> at sun.security.tools.KeyTool.main(KeyTool.java:165)
>
> REPRODUCIBILITY :
> This bug can be reproduced always.
>
> === *Evaluation* =============================================================
> This is mainly a user error:
>
>> keytool -genkeypair -v -protected -alias jon -file certif.file
>
> 1. Does the user intent to create a new keystore certif.file? If so, please use "-keystore certif.file".
>
> 2. The default keystore type at the moment, JKS, is file-based. So, do not specify "-protected". This option is for token-based keystores which has their own special protection mechanism.
>
> Having said that, we can enhance keytool to deal with this user input error more friendly.



More information about the security-dev mailing list