Using an empty keystore password used to be possible?

Question

When signing an apk after a long break from Android development I was surprised that I'm no longer able to enter an empty keystore password to unlock it. Is it just me or has this been possible before? If so, when did that change and how can I manage to unlock the keystore anyway?

Some background: maybe I'm just crazy and didn't use an empty password for the keystore before, but the one and only possible password that I could have been using instead doesn't work either (I swear, there's no chance I'd have used another password!).

Is this a keystore you created, or is it the debug keystore? I am assuming that you mean the former, but I just wanted to check... — CommonsWare, Oct 12 '12 at 15:45
@CommonsWare: Yep, I created the keystore using ADT years ago... David: It's "hitting-enter-instantly-empty" :) — TomTasche, Oct 12 '12 at 15:57
maybe you mixed up the keystore? (happened to me and i found out after quite a while ...) — dorjeduck, Oct 16 '12 at 16:37

score 12 · Answer 1 · edited Oct 19 '16 at 10:52

12

The keystore can be manipulated using the keytool in the Java sdk.

Try executing the keytool on your keystore, and extract the certificates with the empty password. After that, import it into a new keystore. This time, use a real password.

The switch -exportcert will help you accomplish that.

It could be that you updated your java sdk and therefor you cannot enter empty password (due to some security upgrade of the tool). In that case, you can try to install an older sdk and do the above.

Good luck!

edited Oct 19 '16 at 10:52

Leos Literak

8,805
19
81
156

answered Oct 14 '12 at 19:34

Udinic

3,014
2
25
32

Thanks @Udinic, but keytool itself doesn't permit empty passwords either! :/ I guess it's an update of the Java SDK that changed it, too, but to be honest, I don't want to go through all SDK revisions of the last two years... :) Any tip what version might work would be appreciated! – TomTasche Oct 15 '12 at 13:41
You don't have to install each one, just take the one you probably had 2 years ago, and go along with it. – Udinic Oct 15 '12 at 17:09
OK, try using "-storepass " option of keytool to store a new pass. Backup your keystore before doing that. – Udinic Oct 16 '12 at 08:38
@Udinic is there any chance that you can provide the steps to -exportcert to import into a new keystore? So the following will allow you to extract the information using the empty password "keytool -list -v -keystore [keystore-filename]", how do I go about exporting these into a new keystore? Any help would be greatly appreciated. – Graham Baitson Jul 20 '20 at 17:06

pcans · Answer 2 · 2012-10-16T16:07:20.407

You cannot use an empty password for your keystore.

I checked, as far as jdk 1.3 keytool does'nt allow it, see http://docs.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html where doc explicitely states that:

storepass must be at least 6 characters long. It must be provided to all commands that access the keystore contents. For such commands, if a -storepass option is not provided at the command line, the user is prompted for it.

For fun, I wanted to try keytool from jdk 1.2 and downloaded it since its documentation doesn't state that password is mandatory, but I need a Windows NT box to install it! I absolutely don't think Android ever used this keytool version.

Sorry, but it looks like you have either: forgotten your password, or typed it with caps locks / a wrong keyboard layout activated. :(

EDIT:

If it is not a layout problem you can try to

Use this reverse engineered code to extract key using an empty string password: http://metastatic.org/source/JKS.java.
If this doesn't work you are screwed, your only hope will be to brute force the key using http://code.google.com/p/android-keystore-password-recover/ or http://code.google.com/p/patator/ (test and use the fastest one)

The link to keytool from v 1.3 is dead sadly. – T.S Oct 15 '21 at 07:27 — T.S, Oct 15 '21 at 07:27

score 5 · Answer 3 · answered Oct 16 '12 at 20:02

5

Try default android debug mode keystore password which is android or java cacerts default changeit/changeme.

answered Oct 16 '12 at 20:02

Aleksandr M

24,264
12
69
143

score 5 · Answer 4 · edited Oct 15 '21 at 21:04

5

Instead of using keytool, you could write a simple Java SE program that tries to use your key or lists aliases. The API should (not a 100% on this) allow you to use an empty ("") password.

You can also try third party tools like portecle to list/extract keys.

edited Oct 15 '21 at 21:04

T.S

355
4
18

answered Oct 17 '12 at 03:31

Nikolay Elenkov

52,576
10
84
84

Tested, but portecle does not open old keystores with an empty password. – T.S Oct 15 '21 at 07:17

score 5 · Answer 5 · answered Oct 19 '16 at 11:24

5

I faced this issue as well and it was very weird. I had a legacy keystore that was not protected by any password. I could use it successfully in SoapUI but keytool and keystore explorer failed to open it. I had to create new keystore that already had a password and since then everything was fine.

I suspect that Java 8 is more picky that Java 7 was.

keytool -importkeystore -srckeystore client.jks -destkeystore client2.jsk -srcstoretype JKS -deststoretype JKS -deststorepass changeit

answered Oct 19 '16 at 11:24

Leos Literak

8,805
19
81
156

5

This still asks for the key password and doesn't accept blank – Martin Mar 27 '18 at 14:54
Better is to create a new keystore (jks) when we do not have JKS passwords or passwords of any entries within it. keytool -genkey -alias client -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -dname "CN=domainname, O=org, C=EU" -keypass changeit -validity 1096 -keystore "C:\Documents\sslcertificate\keystores\javakeystore.jks" -ext san=dns:domainname – rinilnath Apr 06 '23 at 04:00

Deian · Answer 6 · 2019-06-01T15:26:15.317

3

That works for me:

keytool -list -keystore keyStoreFileWithotPassword.jks -protected

CORRECTION: It turn out the list feature works without entering the actual password! But the import features do require a password

edited Jun 01 '19 at 15:26

answered Jun 01 '19 at 15:18

Deian

1,237
15
31

Gooseman · Answer 7 · 2020-06-17T04:14:01.280

2

I've just faced the same problem when trying to use the key store provider for hadoop, which uses none as default password, see: JavaKeyStoreProvider.java

I ended up copying the original keytool from OpenJDK8 and removed the restrictions in this new implementation (it is the same but without the 6 characteres limitation): KeytoolWithoutPasswordLimits

In this way, I managed to use none as password.

edited Jun 17 '20 at 04:14

answered Jun 17 '20 at 03:59

Gooseman

2,102
17
16

AdoptopenJDK's keytool, from version 8 (lowest i can still download there) https://adoptopenjdk.net/archive.html - doesn't help either. Same error regarding the minimum 6 characters Keytoolwithoutpasswordlimits does not compile on it's own - some more info (or at least instructions how you would compile the base .java file) would be greatly appreciated, though i suspect it's "download openjdk, extract src.zip, javac ". javac -XDignore.symbol.file - is needed, and some tinkering to the source file - should be worth adding in the answer. – T.S Oct 15 '21 at 09:56
1

@T.S For example, with IntelliJ, you could create a new Java application following these [steps](https://www.jetbrains.com/help/idea/creating-and-running-your-first-java-application.html) and replace the helloworld example with [my code](https://github.com/gumartinm/SparkForFun/blob/01e9273ffe6a017971ed7ec035f9287dff98f872/keytool/src/sun/security/tools/keytool/KeytoolWithoutPasswordLimits.java). – Gooseman Oct 15 '21 at 20:01
We tried eclipse, same idea. Eventually we found the -XDignore.symbol.file which allowed compilation of just the 1 file we needed with a tiny tweak. In the end that was the quicker way to get it working. The commandline was quite helpful in that regard, but it did require some extensive googling. – T.S Oct 20 '21 at 11:55

score 1 · Answer 8 · edited May 23 '17 at 11:46

1

If all of the above fail you can try cracking it. Related question: Android - Forgot keystore password. Can I decrypt keystore file?

edited May 23 '17 at 11:46

Community

1
1

answered Oct 16 '12 at 20:19

Sarel Botha

12,419
7
54
59

Using an empty keystore password used to be possible?

8 Answers8