RFR: 8279066: Still see private key entries without certificates in a PKCS12 keystore

Sean Mullan mullan at openjdk.java.net
Tue Dec 21 18:26:13 UTC 2021

On Tue, 21 Dec 2021 16:31:57 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Before password-less PKCS12 keystores are supported, certificates in a PKCS12 file are always encrypted. Therefore if one loads the keystore with a null pass, it contains `PrivateKeyEntry`s without certificates. This has always been awkward (and most likely useless) so when JDK-8076190 introduced the password-less feature I also added a line to remove such an entry. 
> https://github.com/openjdk/jdk/blob/a729a70c0119ed071ff490b0dfd4e3e2cb1a5ae4/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L2272 
> Unfortunately, the line is not coded correctly, it should have been `remove(key)` but here it's `remove(value)`.
> This code change correctly removes the entry.
> That said, this behavior, although weird, has been there from the beginning since PKCS12 keystore was introduced. If you can find out a usage of a private key entry without any certificate and think it's worth kept that way, I can simply remove the `remove` call and leave the entry there.

I still think it's useful even if I can't see the certificate chain. I'd rather see the entry if it actually exists in the keystore and I think removing it is odd because it still exists in the keystore. Also, sometimes I use keytool without a storepass just to see what is in it, and then if I see the certificates are not showing up, I can try again with the password.


PR: https://git.openjdk.java.net/jdk/pull/6910

More information about the security-dev mailing list