8194307: KeyStore#getInstance with custom LoadStoreParameter succeeds with invalid password

Reviewed-by: weijun, vinnie
2025-08-27 14:54:52 +02:00 · 2018-01-19 09:49:35 -05:00 · 2018-01-19 09:49:35 -05:00 · d3bd8b3ecc
commit d3bd8b3ecc
parent dc5bb8b61b
3 changed files with 47 additions and 7 deletions
--- a/src/java.base/share/classes/java/security/KeyStore.java
+++ b/src/java.base/share/classes/java/security/KeyStore.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -1802,11 +1802,11 @@ public class KeyStore {

            // Load the keystore data
            if (keystore != null) {
+                dataStream.reset(); // prepare the stream for loading
                if (hasPassword) {
-                    dataStream.reset(); // prepare the stream for loading
                    keystore.load(dataStream, password);
                } else {
-                    keystore.load(param);
+                    keystore.keyStoreSpi.engineLoad(dataStream, param);
                }
                return keystore;
            }
--- a/src/java.base/share/classes/java/security/KeyStoreSpi.java
+++ b/src/java.base/share/classes/java/security/KeyStoreSpi.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -395,6 +395,12 @@ public abstract class KeyStoreSpi {
    public void engineLoad(KeyStore.LoadStoreParameter param)
                throws IOException, NoSuchAlgorithmException,
                CertificateException {
+        engineLoad(null, param);
+    }
+
+    void engineLoad(InputStream stream, KeyStore.LoadStoreParameter param)
+                throws IOException, NoSuchAlgorithmException,
+                CertificateException {

        if (param == null) {
            engineLoad((InputStream)null, (char[])null);
@ -425,7 +431,7 @@ public abstract class KeyStoreSpi {
            throw new NoSuchAlgorithmException("ProtectionParameter must"
                + " be PasswordProtection or CallbackHandlerProtection");
        }
-        engineLoad(null, password);
+        engineLoad(stream, password);
        return;
    }