8194307: KeyStore#getInstance with custom LoadStoreParameter succeeds with invalid password

Reviewed-by: weijun, vinnie
2025-09-15 08:34:30 +02:00 · 2018-01-19 09:49:35 -05:00 · 2018-01-19 09:49:35 -05:00 · d3bd8b3ecc
commit d3bd8b3ecc
parent dc5bb8b61b
3 changed files with 47 additions and 7 deletions
--- a/src/java.base/share/classes/java/security/KeyStore.java
+++ b/src/java.base/share/classes/java/security/KeyStore.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -1802,11 +1802,11 @@ public class KeyStore {

            // Load the keystore data
            if (keystore != null) {
+                dataStream.reset(); // prepare the stream for loading
                if (hasPassword) {
-                    dataStream.reset(); // prepare the stream for loading
                    keystore.load(dataStream, password);
                } else {
-                    keystore.load(param);
+                    keystore.keyStoreSpi.engineLoad(dataStream, param);
                }
                return keystore;
            }
--- a/src/java.base/share/classes/java/security/KeyStoreSpi.java
+++ b/src/java.base/share/classes/java/security/KeyStoreSpi.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -395,6 +395,12 @@ public abstract class KeyStoreSpi {
    public void engineLoad(KeyStore.LoadStoreParameter param)
                throws IOException, NoSuchAlgorithmException,
                CertificateException {
+        engineLoad(null, param);
+    }
+
+    void engineLoad(InputStream stream, KeyStore.LoadStoreParameter param)
+                throws IOException, NoSuchAlgorithmException,
+                CertificateException {

        if (param == null) {
            engineLoad((InputStream)null, (char[])null);
@ -425,7 +431,7 @@ public abstract class KeyStoreSpi {
            throw new NoSuchAlgorithmException("ProtectionParameter must"
                + " be PasswordProtection or CallbackHandlerProtection");
        }
-        engineLoad(null, password);
+        engineLoad(stream, password);
        return;
    }

--- a/test/jdk/java/security/KeyStore/ProbeKeystores.java
+++ b/test/jdk/java/security/KeyStore/ProbeKeystores.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -23,7 +23,7 @@

 /*
 * @test
- * @bug 8044445
+ * @bug 8044445 8194307
 * @summary test new methods from JEP-229: Create PKCS12 Keystores by Default
 */

@ -37,9 +37,26 @@ import javax.security.auth.callback.*;
 public class ProbeKeystores {
    private static final char[] PASSWORD = "changeit".toCharArray();
    private static final char[] BAD_PASSWORD = "badpasword".toCharArray();
+    private static final LoadStoreParameter LOAD_STORE_PARAM =
+        new MyLoadStoreParameter(new PasswordProtection(PASSWORD));
+    private static final LoadStoreParameter BAD_LOAD_STORE_PARAM =
+        new MyLoadStoreParameter(new PasswordProtection(BAD_PASSWORD));
    private static final String DIR = System.getProperty("test.src", ".");
    private static final String CERT_FILE = "trusted.pem";

+    private static class MyLoadStoreParameter implements LoadStoreParameter {
+
+        private ProtectionParameter protection;
+
+        MyLoadStoreParameter(ProtectionParameter protection) {
+            this.protection = protection;
+        }
+
+        public ProtectionParameter getProtectionParameter() {
+            return protection;
+        }
+    }
+
    public static final void main(String[] args) throws Exception {

        // Testing empty keystores
@ -173,6 +190,23 @@ public class ProbeKeystores {
        } catch (IOException e) {
            System.out.println("Failed to load a " + type + " keystore named '" + file + "' (as expected)");
        }
+
+        // Now try with the correct password within a LoadStoreParameter
+        ks = KeyStore.getInstance(new File(file), LOAD_STORE_PARAM);
+        if (!type.equalsIgnoreCase(ks.getType())) {
+            throw new Exception("ERROR: expected a " + type + " keystore, " +
+                "got a " + ks.getType() + " keystore instead");
+        } else {
+            System.out.println("Probed a " + type + " keystore named '" + file + "'");
+        }
+
+        // Next try with an incorrect password within a LoadStoreParameter
+        try {
+            ks = KeyStore.getInstance(new File(file), BAD_LOAD_STORE_PARAM);
+            throw new Exception("ERROR: expected an exception but got success");
+        } catch (IOException e) {
+            System.out.println("Failed to load a " + type + " keystore named '" + file + "' (as expected)");
+        }
    }

    // Instantiate a keystore by probing the supplied file for the keystore type