# HG changeset patch # User weijun # Date 1315538298 -28800 # Node ID 4288852bdda697943e121b1c95235965aa7de410 # Parent e9df9d2648947f2f6ad6964e387dc76a86b58e38 7047200: keytool safe store Reviewed-by: xuelei diff -r e9df9d264894 -r 4288852bdda6 jdk/src/share/classes/sun/security/tools/KeyTool.java --- a/jdk/src/share/classes/sun/security/tools/KeyTool.java Thu Sep 08 09:04:28 2011 +0800 +++ b/jdk/src/share/classes/sun/security/tools/KeyTool.java Fri Sep 09 11:18:18 2011 +0800 @@ -1141,17 +1141,14 @@ if (token) { keyStore.store(null, null); } else { - FileOutputStream fout = null; - try { - fout = (nullStream ? - (FileOutputStream)null : - new FileOutputStream(ksfname)); - keyStore.store - (fout, - (storePassNew!=null) ? storePassNew : storePass); - } finally { - if (fout != null) { - fout.close(); + char[] pass = (storePassNew!=null) ? storePassNew : storePass; + if (nullStream) { + keyStore.store(null, pass); + } else { + ByteArrayOutputStream bout = new ByteArrayOutputStream(); + keyStore.store(bout, pass); + try (FileOutputStream fout = new FileOutputStream(ksfname)) { + fout.write(bout.toByteArray()); } } } @@ -1399,7 +1396,7 @@ private char[] promptForKeyPass(String alias, String orig, char[] origPass) throws Exception{ if (P12KEYSTORE.equalsIgnoreCase(storetype)) { return origPass; - } else if (!token) { + } else if (!token && !protectedPath) { // Prompt for key password int count; for (count = 0; count < 3; count++) { @@ -1446,7 +1443,7 @@ } } } - return null; // PKCS11 + return null; // PKCS11, MSCAPI, or -protected } /** * Creates a new secret key. diff -r e9df9d264894 -r 4288852bdda6 jdk/test/sun/security/tools/keytool/trystore.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/jdk/test/sun/security/tools/keytool/trystore.sh Fri Sep 09 11:18:18 2011 +0800 @@ -0,0 +1,65 @@ +# +# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +# @test +# @bug 7047200 +# @summary keytool can try save to a byte array before overwrite the file + +if [ "${TESTJAVA}" = "" ] ; then + JAVAC_CMD=`which javac` + TESTJAVA=`dirname $JAVAC_CMD`/.. +fi + +# set platform-dependent variables +OS=`uname -s` +case "$OS" in + Windows_* ) + FS="\\" + ;; + * ) + FS="/" + ;; +esac + +rm trystore.jks 2> /dev/null + +KEYTOOL="${TESTJAVA}${FS}bin${FS}keytool -storetype jks -keystore trystore.jks" +$KEYTOOL -genkeypair -alias a -dname CN=A -storepass changeit -keypass changeit +$KEYTOOL -genkeypair -alias b -dname CN=B -storepass changeit -keypass changeit + +# We use -protected for JKS keystore. This is illegal so the command should +# fail. Then we can check if the keystore is damaged. + +$KEYTOOL -genkeypair -protected -alias b -delete -debug + +if [ $? = 0 ]; then + echo "What? -protected works for JKS?" + exit 1 +fi + +$KEYTOOL -list -storepass changeit + +if [ $? != 0 ]; then + echo "Keystore file damaged" + exit 2 +fi