Intended behavior of the -providerName option of keytool

Michael Wang muuang at
Thu Sep 15 15:53:29 UTC 2016


I'm trying to understand what the -providerName option of keytool does. The
documentation for -providerName just says:

"Used to identify a cryptographic service provider's name when listed in
the security properties file."

Which doesn't really say anything about how it should be used and the
resulting behavior.

I looked at the latest Java 9 source code for keytool, the only 2 places
that I see that uses providerName are

a. Getting an instance of the keystore, with:
KeyStore.getInstance(storetype, providerName);

b. Getting an instance of key pair generator, with:
new CertAndKeyGen(keyAlgName, sigAlgName, providerName);

It looks like all other calls in keytool that requires the services of a
provider does not use providerName, so it defaults to looking up the
matching provider from the providers list.

This behavior doesn't seem very clear cut to me.
I think -providerName should used to either:

1. Specify the provider of the keystore only. All other services used by
keytool that requires a provider will look up the provider using the
default providers list.

2. Specify the provider of all services used by keytool that requires a
provider, including keystore.

I just want to understand what the intended behavior should be.

Michael Wang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security-dev mailing list