kaikramer / keystore-explorer

KeyStore Explorer is a free GUI replacement for the Java command-line utilities keytool and jarsigner.
https://keystore-explorer.org/
GNU General Public License v3.0
1.7k stars 275 forks source link

KeyStore Explorer And Blank Password #496

Closed class101 closed 6 months ago

class101 commented 6 months ago

Hello KSE developers,

There is a behavior that I cannot explain regarding the creation of a JKS keystore with the password "toto".

kse-553-password-is-toto.jks.txt

I am puzzled as to why KeyStore Explorer 5.5.* can open all my password-protected JKS files with a blank password.

I have never been able to understand this behavior; the only difference with my colleague is that he continues to use an older version of KSE 5.2. and has never encountered this issue, whereas I have been updated to 5.5. for a long time and have consistently observed this behavior.

kaikramer commented 6 months ago

If you take a look at the release notes of KSE 5.4.3 the following change is mentioned there:

  • JKS and JCEKS keystores can now be opened without entering the password, just press enter in the password dialog.

    • This is only possible because the JKS/JCEKS keystore password (in contrast to the passwords of individual key entries) is just an integrity protection.
    • Key entries are of course still locked.
    • The keystore is handled by KSE as if no keystore password was set yet. If you want to save the keystore after a modification, you have to set a new keystore password.

The first sub-point should explain why it works at all. And the reason this feature was added is simply that it has been requested by users.

It can be useful in certain situations:

By the way, JKS keystores have very weak security in general, PKCS#12 might be a better choice in 2024.

class101 commented 6 months ago

@kaikramer

I understand thank you a lot.

This was a mistery to us now resolved 👍