From c14620fcf6555c05243ee219d164b97d9c35fd1d Mon Sep 17 00:00:00 2001 From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com> Date: Sat, 13 Jun 2026 17:33:42 +0200 Subject: [PATCH] [PR #12151/994b7560 backport][stable-13] java_cert: fix PKCS12 password not passed to `keytool -list` (#12243) java_cert: fix PKCS12 password not passed to `keytool -list` (#12151) * fix(java_cert): remove -noprompt from keytool -list to allow stdin password -noprompt is not a valid option for keytool -list (only for importkeystore/ importcert). On Java 8, passing it caused keytool to skip reading the store password from stdin, resulting in a null password and NullPointerException. Fixes #3023 * test(java_cert): add idempotency test for pkcs12 import with password Exercises _export_public_cert_from_pkcs12 when the alias already exists, verifying the password is correctly read from stdin on the comparison path. * changelog: add fragment for PR 12151 --------- (cherry picked from commit 994b7560260045759d101e67d266f7db30b17373) Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 --- .../12151-java-cert-pkcs12-password.yml | 4 ++++ plugins/modules/java_cert.py | 2 +- .../targets/java_cert/tasks/main.yml | 17 +++++++++++++++++ 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 changelogs/fragments/12151-java-cert-pkcs12-password.yml diff --git a/changelogs/fragments/12151-java-cert-pkcs12-password.yml b/changelogs/fragments/12151-java-cert-pkcs12-password.yml new file mode 100644 index 0000000000..7c983bc1a7 --- /dev/null +++ b/changelogs/fragments/12151-java-cert-pkcs12-password.yml @@ -0,0 +1,4 @@ +bugfixes: + - "java_cert - fix ``NullPointerException`` when importing from a PKCS12 file with a password on Java 8 + (https://github.com/ansible-collections/community.general/issues/3023, + https://github.com/ansible-collections/community.general/pull/12151)." diff --git a/plugins/modules/java_cert.py b/plugins/modules/java_cert.py index 2a2cd590be..60343cf8bb 100644 --- a/plugins/modules/java_cert.py +++ b/plugins/modules/java_cert.py @@ -279,7 +279,7 @@ def _get_digest_from_x509_file(module, pem_certificate_file, openssl_bin): def _export_public_cert_from_pkcs12(module, executable, pkcs_file, alias, password, dest): """Runs keytools to extract the public cert from a PKCS12 archive and write it to a file.""" - export_cmd = [executable, "-list", "-noprompt", "-keystore", pkcs_file, "-storetype", "pkcs12", "-rfc"] + export_cmd = [executable, "-list", "-keystore", pkcs_file, "-storetype", "pkcs12", "-rfc"] # Append optional alias if alias: export_cmd.extend(["-alias", alias]) diff --git a/tests/integration/targets/java_cert/tasks/main.yml b/tests/integration/targets/java_cert/tasks/main.yml index d67b65474f..002c217b9f 100644 --- a/tests/integration/targets/java_cert/tasks/main.yml +++ b/tests/integration/targets/java_cert/tasks/main.yml @@ -32,6 +32,23 @@ that: - result_success is successful + - name: import pkcs12 again to verify idempotency (tests password via stdin in _export_public_cert_from_pkcs12) + community.general.java_cert: + pkcs12_path: "{{ remote_tmp_dir }}/{{ test_pkcs12_path }}" + pkcs12_password: changeit + pkcs12_alias: default + cert_alias: default + keystore_path: "{{ remote_tmp_dir }}/{{ test_keystore_path }}" + keystore_pass: changeme_keystore + keystore_create: true + state: present + register: result_idempotent + + - name: verify idempotency + ansible.builtin.assert: + that: + - result_idempotent is not changed + - name: import pkcs12 without alias params community.general.java_cert: pkcs12_path: "{{ remote_tmp_dir }}/{{ test_pkcs12_path }}"