|
Quick Lists
|
|
Bug ID:
|
4703755
|
|
Votes
|
0
|
|
Synopsis
|
keytool displays passwords as they are entered
|
|
Category
|
java:classes_security
|
|
Reported Against
|
1.4
, 1.4.0_00
, merlin-rc1
|
|
Release Fixed
|
|
|
State
|
11-Closed, duplicate of 4050435,
request for enhancement
|
|
Priority:
|
3-Medium
|
|
Related Bugs
|
4713591
|
|
Submit Date
|
18-JUN-2002
|
|
Description
|
The keytool displays passwords as they are entered. This
is considered very bad practice from a security point of view.
Example:
# keytool -import -alias patchsigning -file /opt/SUNWppro/etc/certs/patchsigningcert.b64 -keystore /usr/j2se/jre/lib/security/cacerts
Enter keystore password: foobar
^^^^^^
# java -version
java version "1.4.0_00"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.0_00-b05)
Java HotSpot(TM) Client VM (build 1.4.0_00-b05, mixed mode)
# pkginfo -l SUNWj3rt
PKGINST: SUNWj3rt
NAME: J2SDK 1.4 runtime environment
CATEGORY: system
ARCH: sparc
VERSION: 1.4.0,REV=2002.03.19.23.51
BASEDIR: /usr
VENDOR: xxxxx , Inc.
DESC: Java virtual machine and core class libraries
PSTAMP: exactvm-sm19235127
INSTDATE: May 06 2002 16:14
HOTLINE: Please contact your local service provider
STATUS: completely installed
FILES: 644 installed pathnames
14 shared pathnames
65 directories
60 executables
107109 blocks used (approx)
# uname -a
SunOS sunhsc 5.9 Generic sun4u sparc SUNW,Ultra-60
|
|
Work Around
|
N/A
|
|
Evaluation
|
xxxxx@xxxxx 2002-06-18
We agree that it would be better not to echo the password back to avoid
the "peeking over the shoulder" attacks. But currently there is no platform
independent way to do this in Java. This is one of the top RFEs filed at
http://developer.java.sun.com/developer/bugParade/top25rfes.html (see 4050435).
So I'm changing this to "rfe". Once rfe 4050435 is implemented, we'll improve
password handling in keytool.
|
|
Comments
|
PLEASE NOTE: JDK6 is formerly known as Project Mustang
|
|
|
|
