[PR #12151/994b7560 backport][stable-13] java_cert: fix PKCS12 password not passed to keytool -list (#12243)

java_cert: fix PKCS12 password not passed to `keytool -list` (#12151) * fix(java_cert): remove -noprompt from keytool -list to allow stdin password -noprompt is not a valid option for keytool -list (only for importkeystore/ importcert). On Java 8, passing it caused keytool to skip reading the store password from stdin, resulting in a null password and NullPointerException. Fixes #3023 * test(java_cert): add idempotency test for pkcs12 import with password Exercises _export_public_cert_from_pkcs12 when the alias already exists, verifying the password is correctly read from stdin on the comparison path. * changelog: add fragment for PR 12151 --------- (cherry picked from commit 994b756026) Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-15 12:27:38 +00:00 · 2026-06-13 17:33:42 +02:00 · 2026-06-13 17:33:42 +02:00 · c14620fcf6
commit c14620fcf6
parent 74207ab57f
3 changed files with 22 additions and 1 deletions
--- a/changelogs/fragments/12151-java-cert-pkcs12-password.yml
+++ b/changelogs/fragments/12151-java-cert-pkcs12-password.yml
@ -0,0 +1,4 @@
+bugfixes:
+  - "java_cert - fix ``NullPointerException`` when importing from a PKCS12 file with a password on Java 8
+    (https://github.com/ansible-collections/community.general/issues/3023,
+    https://github.com/ansible-collections/community.general/pull/12151)."
--- a/plugins/modules/java_cert.py
+++ b/plugins/modules/java_cert.py
@ -279,7 +279,7 @@ def _get_digest_from_x509_file(module, pem_certificate_file, openssl_bin):

 def _export_public_cert_from_pkcs12(module, executable, pkcs_file, alias, password, dest):
    """Runs keytools to extract the public cert from a PKCS12 archive and write it to a file."""
-    export_cmd = [executable, "-list", "-noprompt", "-keystore", pkcs_file, "-storetype", "pkcs12", "-rfc"]
+    export_cmd = [executable, "-list", "-keystore", pkcs_file, "-storetype", "pkcs12", "-rfc"]
    # Append optional alias
    if alias:
        export_cmd.extend(["-alias", alias])
--- a/tests/integration/targets/java_cert/tasks/main.yml
+++ b/tests/integration/targets/java_cert/tasks/main.yml
@ -32,6 +32,23 @@
        that:
          - result_success is successful

+    - name: import pkcs12 again to verify idempotency (tests password via stdin in _export_public_cert_from_pkcs12)
+      community.general.java_cert:
+        pkcs12_path: "{{ remote_tmp_dir }}/{{ test_pkcs12_path }}"
+        pkcs12_password: changeit
+        pkcs12_alias: default
+        cert_alias: default
+        keystore_path: "{{ remote_tmp_dir }}/{{ test_keystore_path }}"
+        keystore_pass: changeme_keystore
+        keystore_create: true
+        state: present
+      register: result_idempotent
+
+    - name: verify idempotency
+      ansible.builtin.assert:
+        that:
+          - result_idempotent is not changed
+
    - name: import pkcs12 without alias params
      community.general.java_cert:
        pkcs12_path: "{{ remote_tmp_dir }}/{{ test_pkcs12_path }}"