8231107: Allow store password to be null when saving a PKCS12 KeyStore

Reviewed-by: mullan
2025-08-28 15:24:43 +02:00 · 2021-12-01 01:01:57 +00:00 · 2021-12-01 01:01:57 +00:00 · 7049c13cf4
commit 7049c13cf4
parent ab867f6c7c
4 changed files with 54 additions and 33 deletions
--- a/src/java.base/share/classes/java/security/KeyStore.java
+++ b/src/java.base/share/classes/java/security/KeyStore.java
@ -1384,7 +1384,9 @@ public class KeyStore {
     * integrity with the given password.
     *
     * @param stream the output stream to which this keystore is written.
-     * @param password the password to generate the keystore integrity check
+     * @param password the password to generate the keystore integrity check.
+     *                 May be {@code null} if the keystore does not support
+     *                 or require an integrity check.
     *
     * @throws    KeyStoreException if the keystore has not been initialized
     * (loaded).
--- a/src/java.base/share/classes/java/security/KeyStoreSpi.java
+++ b/src/java.base/share/classes/java/security/KeyStoreSpi.java
@ -289,7 +289,9 @@ public abstract class KeyStoreSpi {
     * integrity with the given password.
     *
     * @param stream the output stream to which this keystore is written.
-     * @param password the password to generate the keystore integrity check
+     * @param password the password to generate the keystore integrity check.
+     *                 May be {@code null} if the keystore does not support
+     *                 or require an integrity check.
     *
     * @throws    IOException if there was an I/O problem with data
     * @throws    NoSuchAlgorithmException if the appropriate data integrity
--- a/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
+++ b/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
@ -1259,14 +1259,20 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
                    " certificate(s) in a PKCS#7 encryptedData");
            }

-            byte[] encrData = createEncryptedData(password);
-            if (!certProtectionAlgorithm.equalsIgnoreCase("NONE")) {
+            byte[] certsData = getCertificateData();
+            if (password != null && !certProtectionAlgorithm.equalsIgnoreCase("NONE")) {
+                // -- SEQUENCE of EncryptedData
+                DerOutputStream encrData = new DerOutputStream();
+                encrData.putInteger(0);
+                encrData.write(encryptContent(certsData, password));
+                DerOutputStream encrDataContent = new DerOutputStream();
+                encrDataContent.write(DerValue.tag_Sequence, encrData);
                ContentInfo encrContentInfo =
                        new ContentInfo(ContentInfo.ENCRYPTED_DATA_OID,
-                                new DerValue(encrData));
+                                new DerValue(encrDataContent.toByteArray()));
                encrContentInfo.encode(authSafeContentInfo);
            } else {
-                ContentInfo dataContentInfo = new ContentInfo(encrData);
+                ContentInfo dataContentInfo = new ContentInfo(certsData);
                dataContentInfo.encode(authSafeContentInfo);
            }
        }
@ -1289,7 +1295,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
        if (macIterationCount < 0) {
            macIterationCount = defaultMacIterationCount();
        }
-        if (!macAlgorithm.equalsIgnoreCase("NONE")) {
+        if (password != null && !macAlgorithm.equalsIgnoreCase("NONE")) {
            byte[] macData = calculateMac(password, authenticatedSafe);
            pfx.write(macData);
        }
@ -1704,12 +1710,11 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
    }

    /*
-     * Create EncryptedData content type, that contains EncryptedContentInfo.
-     * Includes certificates in individual SafeBags of type CertBag.
-     * Each CertBag may include pkcs12 attributes
+     * Create Data content type, includes certificates in individual
+     * SafeBags of type CertBag. Each CertBag may include pkcs12 attributes
     * (see comments in getBagAttributes)
     */
-    private byte[] createEncryptedData(char[] password)
+    private byte[] getCertificateData()
        throws CertificateException, IOException
    {
        DerOutputStream out = new DerOutputStream();
@ -1803,22 +1808,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
        // wrap as SequenceOf SafeBag
        DerOutputStream safeBagValue = new DerOutputStream();
        safeBagValue.write(DerValue.tag_SequenceOf, out);
-        byte[] safeBagData = safeBagValue.toByteArray();
-
-        // encrypt the content (EncryptedContentInfo)
-        if (!certProtectionAlgorithm.equalsIgnoreCase("NONE")) {
-            byte[] encrContentInfo = encryptContent(safeBagData, password);
-
-            // -- SEQUENCE of EncryptedData
-            DerOutputStream encrData = new DerOutputStream();
-            DerOutputStream encrDataContent = new DerOutputStream();
-            encrData.putInteger(0);
-            encrData.write(encrContentInfo);
-            encrDataContent.write(DerValue.tag_Sequence, encrData);
-            return encrDataContent.toByteArray();
-        } else {
-            return safeBagData;
-        }
+        return safeBagValue.toByteArray();
    }

    /*