RFR 8172975: SecurityTools.keytool() needs to accept user input

Artem Smotrakov artem.smotrakov at oracle.com
Thu Jan 19 13:40:42 UTC 2017


Hi Max,

In general, looks okay.

Would it be better if it called redirectInput() only if the response 
file exists? keytool() method might also delete the response file after 
reading it. These two measures may prevent situations when the response 
file is unnecessary used.

What do you think?

Artem


On 01/18/2017 05:50 PM, Weijun Wang wrote:
> Please review the code changes at
>
>    root: http://cr.openjdk.java.net/~weijun/8172975/root/webrev.00/
>    jdk: http://cr.openjdk.java.net/~weijun/8172975/webrev.00/
>
> The fix is in root repo. This is not an elegant solution because it 
> uses a separate method to provide the response. This means you have to 
> clear the response if the next keytool call does not need it. This 
> also means you cannot run keytool in multiple threads.
>
> I didn't provide the response as an extra argument because there are 
> already many overloaded keytool() methods, and I do not want to invent 
> a new method name (say, keytoolWithResponse) and implement the same 
> number of overloaded methods.
>
> If you are strongly against this solution, I'll think of another way.
>
> The jdk change includes a test for this change, as well as a trivial 
> fix for keytool's getYesNoReply() method. Otherwise an NPE is thrown 
> with the following command:
>
>    cat untrusted.cert | keytool -importcert -alias a
>
> Thanks
> Max



More information about the security-dev mailing list