On Tue, 3 May 2022 14:54:21 GMT, Hai-May Chao <hc...@openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 2196: >> >>> 2194: >>> 2195: try { >>> 2196: SecretKey secKey = (SecretKey) keyStore.getKey(alias, >>> storePass); >> >> This means any secret key entries that are protected by a different password >> than `storePass` will throw an `UnrecoverableKeyException` and we will not >> be able to check the constraints. For PKCS12 this is not an issue since >> `storePass` and `keyPass` have to be the same. But for other keystores like >> JCEKS it might be a problem. However, I note this is not really a new issue >> as details about secret key entries other than the fact they exist as >> entries are not listed, presumably because we may not have the right >> password. >> >> I would recommend adding a comment explaining this. >> >> For a future RFE, it might be useful to enhance `keytool -list -alias` to >> have a `-keypass` option so that additional information for entries >> protected by a different password than `storePass` could be listed, such as >> their algorithm and key size. > > Comment added. Filed RFE JDK-8286031 as suggested. ------------- PR: https://git.openjdk.java.net/jdk/pull/8300