On Tue, 3 May 2022 14:54:21 GMT, Hai-May Chao <hc...@openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 2196:
>>
>>> 2194:
>>> 2195: try {
>>> 2196: SecretKey secKey = (SecretKey) keyStore.getKey(alias,
>>> storePass);
>>
>> This means any secret key entries that are protected by a different password
>> than `storePass` will throw an `UnrecoverableKeyException` and we will not
>> be able to check the constraints. For PKCS12 this is not an issue since
>> `storePass` and `keyPass` have to be the same. But for other keystores like
>> JCEKS it might be a problem. However, I note this is not really a new issue
>> as details about secret key entries other than the fact they exist as
>> entries are not listed, presumably because we may not have the right
>> password.
>>
>> I would recommend adding a comment explaining this.
>>
>> For a future RFE, it might be useful to enhance `keytool -list -alias` to
>> have a `-keypass` option so that additional information for entries
>> protected by a different password than `storePass` could be listed, such as
>> their algorithm and key size.
>
> Comment added.
Filed RFE JDK-8286031 as suggested.
-------------
PR: https://git.openjdk.java.net/jdk/pull/8300
