8354469: Keytool exposes the password in plain text when command is piped using | grep

Reviewed-by: mullan, smarks, naoto, hchao

Author: wangweij

src/java.base/share/classes/jdk/internal/io/JdkConsoleImpl.java

@@ -174,7 +174,9 @@ private char[] readPassword0(boolean noNewLine, Locale locale, String format, Ob
                             ioe.addSuppressed(x);
                     }
                     if (ioe != null) {
-                        Arrays.fill(passwd, ' ');
+                        if (passwd != null) {
+                            Arrays.fill(passwd, ' ');
+                        }
                         try {
                             if (reader instanceof LineReader lr) {
                                 lr.zeroOut();

src/java.base/share/classes/sun/security/util/Password.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,11 +29,12 @@
 import java.nio.*;
 import java.nio.charset.*;
 import java.util.Arrays;
+
 import jdk.internal.access.SharedSecrets;
+import jdk.internal.io.JdkConsoleImpl;
 
 /**
  * A utility class for reading passwords
- *
  */
 public class Password {
     /** Reads user password from given input stream. */
@@ -50,30 +51,36 @@ public static char[] readPassword(InputStream in, boolean isEchoOn)
 
         char[] consoleEntered = null;
         byte[] consoleBytes = null;
+        char[] buf = null;
 
         try {
             // Only use Console if `in` is the initial System.in
-            Console con;
-            if (!isEchoOn &&
-                    in == SharedSecrets.getJavaLangAccess().initialSystemIn() &&
-                    ((con = System.console()) != null)) {
-                consoleEntered = con.readPassword();
-                // readPassword returns "" if you just press ENTER with the built-in Console,
-                // to be compatible with old Password class, change to null
-                if (consoleEntered == null || consoleEntered.length == 0) {
-                    return null;
+            if (!isEchoOn) {
+                if (in == SharedSecrets.getJavaLangAccess().initialSystemIn()
+                        && ConsoleHolder.consoleIsAvailable()) {
+                    consoleEntered = ConsoleHolder.readPassword();
+                    // readPassword might return null. Stop now.
+                    if (consoleEntered == null) {
+                        return null;
+                    }
+                    consoleBytes = ConsoleHolder.convertToBytes(consoleEntered);
+                    in = new ByteArrayInputStream(consoleBytes);
+                } else if (System.in.available() == 0) {
+                    // This may be running in an IDE Run Window or in JShell,
+                    // which acts like an interactive console and echoes the
+                    // entered password. In this case, print a warning that
+                    // the password might be echoed. If available() is not zero,
+                    // it's more likely the input comes from a pipe, such as
+                    // "echo password |" or "cat password_file |" where input
+                    // will be silently consumed without echoing to the screen.
+                    System.err.print(ResourcesMgr.getString
+                            ("warning.input.may.be.visible.on.screen"));
                 }
-                consoleBytes = convertToBytes(consoleEntered);
-                in = new ByteArrayInputStream(consoleBytes);
             }
 
             // Rest of the lines still necessary for KeyStoreLoginModule
             // and when there is no console.
-
-            char[] lineBuffer;
-            char[] buf;
-
-            buf = lineBuffer = new char[128];
+            buf = new char[128];
 
             int room = buf.length;
             int offset = 0;
@@ -101,11 +108,11 @@ public static char[] readPassword(InputStream in, boolean isEchoOn)
                     /* fall through */
                   default:
                     if (--room < 0) {
+                        char[] oldBuf = buf;
                         buf = new char[offset + 128];
                         room = buf.length - offset - 1;
-                        System.arraycopy(lineBuffer, 0, buf, 0, offset);
-                        Arrays.fill(lineBuffer, ' ');
-                        lineBuffer = buf;
+                        System.arraycopy(oldBuf, 0, buf, 0, offset);
+                        Arrays.fill(oldBuf, ' ');
                     }
                     buf[offset++] = (char) c;
                     break;
@@ -118,8 +125,6 @@ public static char[] readPassword(InputStream in, boolean isEchoOn)
 
             char[] ret = new char[offset];
             System.arraycopy(buf, 0, ret, 0, offset);
-            Arrays.fill(buf, ' ');
-
             return ret;
         } finally {
             if (consoleEntered != null) {
@@ -128,35 +133,72 @@ public static char[] readPassword(InputStream in, boolean isEchoOn)
             if (consoleBytes != null) {
                 Arrays.fill(consoleBytes, (byte)0);
             }
+            if (buf != null) {
+                Arrays.fill(buf, ' ');
+            }
         }
     }
 
-    /**
-     * Change a password read from Console.readPassword() into
-     * its original bytes.
-     *
-     * @param pass a char[]
-     * @return its byte[] format, similar to new String(pass).getBytes()
-     */
-    private static byte[] convertToBytes(char[] pass) {
-        if (enc == null) {
-            synchronized (Password.class) {
-                enc = System.console()
-                        .charset()
-                        .newEncoder()
-                        .onMalformedInput(CodingErrorAction.REPLACE)
-                        .onUnmappableCharacter(CodingErrorAction.REPLACE);
+    // Everything on Console or JdkConsoleImpl is inside this class.
+    private static class ConsoleHolder {
+
+        // primary console; may be null
+        private static final Console c1;
+        // secondary console (when stdout is redirected); may be null
+        private static final JdkConsoleImpl c2;
+        // encoder for c1 or c2
+        private static final CharsetEncoder enc;
+
+        static {
+            c1 = System.console();
+            Charset charset;
+            if (c1 != null) {
+                c2 = null;
+                charset = c1.charset();
+            } else {
+                c2 = JdkConsoleImpl.passwordConsole().orElse(null);
+                charset = (c2 != null) ? c2.charset() : null;
             }
+            enc = charset == null ? null : charset.newEncoder()
+                    .onMalformedInput(CodingErrorAction.REPLACE)
+                    .onUnmappableCharacter(CodingErrorAction.REPLACE);
         }
-        byte[] ba = new byte[(int)(enc.maxBytesPerChar() * pass.length)];
-        ByteBuffer bb = ByteBuffer.wrap(ba);
-        synchronized (enc) {
-            enc.reset().encode(CharBuffer.wrap(pass), bb, true);
+
+        public static boolean consoleIsAvailable() {
+            return c1 != null || c2 != null;
+        }
+
+        public static char[] readPassword() {
+            assert consoleIsAvailable();
+            if (c1 != null) {
+                return c1.readPassword();
+            } else {
+                try {
+                    return c2.readPasswordNoNewLine();
+                } finally {
+                    System.err.println();
+                }
+            }
         }
-        if (bb.position() < ba.length) {
-            ba[bb.position()] = '\n';
+
+        /**
+         * Convert a password read from console into its original bytes.
+         *
+         * @param pass a char[]
+         * @return its byte[] format, equivalent to new String(pass).getBytes()
+         *      but String is immutable and cannot be cleaned up.
+         */
+        public static byte[] convertToBytes(char[] pass) {
+            assert consoleIsAvailable();
+            byte[] ba = new byte[(int) (enc.maxBytesPerChar() * pass.length)];
+            ByteBuffer bb = ByteBuffer.wrap(ba);
+            synchronized (enc) {
+                enc.reset().encode(CharBuffer.wrap(pass), bb, true);
+            }
+            if (bb.remaining() > 0) {
+                bb.put((byte)'\n'); // will be recognized as a stop sign
+            }
+            return ba;
         }
-        return ba;
     }
-    private static volatile CharsetEncoder enc;
 }

src/java.base/share/classes/sun/security/util/resources/security.properties

@@ -74,3 +74,6 @@ line.number.expected.expect.found.actual.=line {0}: expected [{1}], found [{2}]
 
 # sun.security.pkcs11.SunPKCS11
 PKCS11.Token.providerName.Password.=PKCS11 Token [{0}] Password:\u0020
+
+# sun.security.util.Password
+warning.input.may.be.visible.on.screen=[WARNING: Input may be visible on screen]\u0020

test/jdk/sun/security/tools/keytool/EchoPassword.java

@@ -0,0 +1,182 @@
+/*
+ * Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8354469
+ * @summary keytool password does not echo in multiple cases
+ * @library /java/awt/regtesthelpers
+ * @modules java.base/jdk.internal.util
+ * @build PassFailJFrame
+ * @run main/manual/othervm EchoPassword
+ */
+
+import jdk.internal.util.OperatingSystem;
+
+import javax.swing.JEditorPane;
+import javax.swing.JLabel;
+import javax.swing.event.HyperlinkEvent;
+
+import java.awt.Toolkit;
+import java.awt.datatransfer.StringSelection;
+import java.io.File;
+import java.nio.file.Path;
+
+public class EchoPassword {
+
+    static JLabel label;
+
+    public static void main(String[] args) throws Exception {
+
+        var ks1 = "\"" + Path.of("8354469.ks1").toAbsolutePath() + "\"";
+        var ks2 = "\"" + Path.of("8354469.ks2").toAbsolutePath() + "\"";
+        var ks3 = "\"" + Path.of("8354469.ks3").toAbsolutePath() + "\"";
+
+        final String keytool = "\"" + System.getProperty("java.home")
+                + File.separator + "bin" + File.separator + "keytool\"";
+        final String nonASCII = "äöäöäöäö";
+
+        final String[][] commands = {
+                // Input password from real Console
+                {"First command", keytool + " -keystore " + ks1
+                        + " -genkeypair -keyalg ec -dname cn=a -alias first"},
+                // Input password from limited Console (when stdout is redirected)
+                {"Second command", keytool + " -keystore " + ks2
+                        + " -genkeypair -keyalg ec -dname cn=b -alias second | sort"},
+                // Input password from System.in stream
+                {"Third command", "echo changeit| " + keytool + " -keystore " + ks1
+                        + " -genkeypair -keyalg ec -dname cn=c -alias third"},
+                // Ensure limited Console does not write a newline to System.out
+                {"Fourth command", keytool + " -keystore " + ks1
+                        + " -exportcert -alias first | "
+                        + keytool + " -printcert -rfc"},
+                // Non-ASCII password from System.in
+                {"Fifth command", "("
+                        // Solution 2 of https://stackoverflow.com/a/29747723
+                        + (OperatingSystem.isWindows()
+                        ? ("echo " + nonASCII + "^&echo " + nonASCII + "^&rem.")
+                        : ("echo " + nonASCII + "; echo " + nonASCII))
+                        + ") | " + keytool + " -keystore " + ks3
+                                + " -genkeypair -alias a -keyalg ec -dname cn=a"},
+                // Non-ASCII password from Console
+                {"Sixth command", keytool + " -keystore " + ks3
+                        + " -exportcert -alias a -rfc"},
+                {"The password", nonASCII}
+        };
+
+        final String message = String.format("""
+                <html>Open a terminal or Windows Command Prompt window, perform
+                the following steps, and record the final result. Each time you
+                click a link to copy something, make sure the status line at the
+                bottom shows the link has been successfully clicked.
+                <h3>Part I: Password Echoing Tests</h3>
+                <ol>
+                <li>Click <a href='c0'>Copy First Command</a> to copy the
+                following command into the system clipboard. Paste it into the
+                terminal window and execute the command.
+                <p><code>
+                %s
+                </code><p>
+                When prompted, enter "changeit" and press Enter. When prompted
+                again, enter "changeit" again and press Enter. Verify that the
+                two password prompts show up on different lines, both
+                passwords are hidden, and a key pair is generated successfully.
+
+                <li>Click <a href='c1'>Copy Second Command</a> to copy the
+                following command into the system clipboard. Paste it into the
+                terminal window and execute the command.
+                <p><code>
+                %s
+                </code><p>
+                When prompted, enter "changeit" and press Enter. When prompted
+                again, enter "changeit" again and press Enter. Verify that the
+                two password prompts show up on different lines, both
+                passwords are hidden, and a key pair is generated successfully.
+
+                <li>Click <a href='c2'>Copy Third Command</a> to copy the
+                following command into the system clipboard. Paste it into the
+                terminal window and execute the command.
+                <p><code>
+                %s
+                </code><p>
+                You will see a prompt but you don't need to enter anything.
+                Verify that the password "changeit" is not shown in the command
+                output and a key pair is generated successfully.
+
+                <li>Click <a href='c3'>Copy Fourth Command</a> to copy the
+                following command into the system clipboard. Paste it into the
+                terminal window and execute the command.
+                <p><code>
+                %s
+                </code><p>
+                When prompted, enter "changeit" and press Enter. Verify that the
+                password is hidden and a PEM certificate is correctly shown.
+                </ol>
+                <h3>Part II: Interoperability on Non-ASCII Passwords</h3>
+                <ol>
+                <li>Click <a href='c4'>Copy Fifth Command</a> to copy the
+                following command into the system clipboard. Paste it into the
+                terminal window and execute the command.
+                <p><code>
+                %s
+                </code><p>
+                Verify that a key pair is generated successfully.
+
+                <li>Click <a href='c5'>Copy Sixth Command</a> to copy the
+                following command into the system clipboard. Paste it into the
+                terminal window and execute the command.
+                <p><code>
+                %s
+                </code><p>
+                When prompted, click <a href='c6'>Copy Password</a> to copy the
+                password. Paste it into the terminal window and press Enter.
+                Verify that the password is hidden and a PEM certificate is
+                correctly shown.
+                </ol>
+                Press "pass" if the behavior matches expectations;
+                otherwise, press "fail".
+                """, commands[0][1], commands[1][1], commands[2][1], commands[3][1],
+                commands[4][1], commands[5][1], commands[6][1]);
+
+        PassFailJFrame.builder()
+                .instructions(message)
+                .rows(40).columns(100)
+                .hyperlinkListener(e -> {
+                    if (e.getEventType() == HyperlinkEvent.EventType.ACTIVATED) {
+                        int pos = Integer.parseInt(e.getDescription().substring(1));
+                        Toolkit.getDefaultToolkit().getSystemClipboard().setContents(
+                                new StringSelection(commands[pos][1]), null);
+                        label.setText(commands[pos][0] + " copied");
+                        if (e.getSource() instanceof JEditorPane ep) {
+                            ep.getCaret().setVisible(false);
+                        }
+                    }
+                })
+                .splitUIBottom(() -> {
+                    label = new JLabel("Status");
+                    return label;
+                })
+                .build()
+                .awaitAndCheck();
+    }
+}