From 683412e76617cd0abacd714a0c88381772273d7e Mon Sep 17 00:00:00 2001 From: Alexei Znamensky Date: Sun, 31 May 2026 18:33:35 +1200 Subject: [PATCH 1/3] fix(java_cert): remove -noprompt from keytool -list to allow stdin password -noprompt is not a valid option for keytool -list (only for importkeystore/ importcert). On Java 8, passing it caused keytool to skip reading the store password from stdin, resulting in a null password and NullPointerException. Fixes #3023 Co-Authored-By: Claude Sonnet 4.6 --- plugins/modules/java_cert.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/modules/java_cert.py b/plugins/modules/java_cert.py index 2a2cd590be..60343cf8bb 100644 --- a/plugins/modules/java_cert.py +++ b/plugins/modules/java_cert.py @@ -279,7 +279,7 @@ def _get_digest_from_x509_file(module, pem_certificate_file, openssl_bin): def _export_public_cert_from_pkcs12(module, executable, pkcs_file, alias, password, dest): """Runs keytools to extract the public cert from a PKCS12 archive and write it to a file.""" - export_cmd = [executable, "-list", "-noprompt", "-keystore", pkcs_file, "-storetype", "pkcs12", "-rfc"] + export_cmd = [executable, "-list", "-keystore", pkcs_file, "-storetype", "pkcs12", "-rfc"] # Append optional alias if alias: export_cmd.extend(["-alias", alias]) From eb1ed6998d8788da2c8f75ab29f26d1086ce385c Mon Sep 17 00:00:00 2001 From: Alexei Znamensky Date: Sun, 31 May 2026 18:33:40 +1200 Subject: [PATCH 2/3] test(java_cert): add idempotency test for pkcs12 import with password Exercises _export_public_cert_from_pkcs12 when the alias already exists, verifying the password is correctly read from stdin on the comparison path. Co-Authored-By: Claude Sonnet 4.6 --- .../targets/java_cert/tasks/main.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/tests/integration/targets/java_cert/tasks/main.yml b/tests/integration/targets/java_cert/tasks/main.yml index d67b65474f..002c217b9f 100644 --- a/tests/integration/targets/java_cert/tasks/main.yml +++ b/tests/integration/targets/java_cert/tasks/main.yml @@ -32,6 +32,23 @@ that: - result_success is successful + - name: import pkcs12 again to verify idempotency (tests password via stdin in _export_public_cert_from_pkcs12) + community.general.java_cert: + pkcs12_path: "{{ remote_tmp_dir }}/{{ test_pkcs12_path }}" + pkcs12_password: changeit + pkcs12_alias: default + cert_alias: default + keystore_path: "{{ remote_tmp_dir }}/{{ test_keystore_path }}" + keystore_pass: changeme_keystore + keystore_create: true + state: present + register: result_idempotent + + - name: verify idempotency + ansible.builtin.assert: + that: + - result_idempotent is not changed + - name: import pkcs12 without alias params community.general.java_cert: pkcs12_path: "{{ remote_tmp_dir }}/{{ test_pkcs12_path }}" From 447ff273bffc926af5b0612bcb572ca7761273be Mon Sep 17 00:00:00 2001 From: Alexei Znamensky Date: Sun, 31 May 2026 18:38:43 +1200 Subject: [PATCH 3/3] changelog: add fragment for PR 12151 Co-Authored-By: Claude Sonnet 4.6 --- changelogs/fragments/12151-java-cert-pkcs12-password.yml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 changelogs/fragments/12151-java-cert-pkcs12-password.yml diff --git a/changelogs/fragments/12151-java-cert-pkcs12-password.yml b/changelogs/fragments/12151-java-cert-pkcs12-password.yml new file mode 100644 index 0000000000..7c983bc1a7 --- /dev/null +++ b/changelogs/fragments/12151-java-cert-pkcs12-password.yml @@ -0,0 +1,4 @@ +bugfixes: + - "java_cert - fix ``NullPointerException`` when importing from a PKCS12 file with a password on Java 8 + (https://github.com/ansible-collections/community.general/issues/3023, + https://github.com/ansible-collections/community.general/pull/12151)."