keytool asking for password to read java certificates ubuntu 18.04

Question

I have a fresh installation of ubuntu 18.04. I'm having problems with my builds (e.g. Maven and Gradle) accessing a repository https, the message it shows is:

java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

When I try to access the certificates from my keystore using the following command:

keytool -list -keystore /etc/ssl/certs/java/cacerts

I get prompted with a password, which is not a problem, but if I just press enter without inputting the password It does not show any of the entries.

If I put the password, all the certificates appear normally. What I had to do is add to all my Java applications the following system prop: javax.net.ssl.trustStorePassword=changeit

Then everything works normally. What I'm doing wrong?

EDIT:

This is the permission on the cacerts right now:

-rw-r--r-- 1 root root 167K jun  8 11:21 /etc/ssl/certs/java/cacerts

so everyone can read. If I try to use list without a password:

keytool -list -keystore /etc/ssl/certs/java/cacerts                                                                             ✔  308  10:27:15 
Enter keystore password:  

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 0 entries

with the password:keytool -list -keystore /etc/ssl/certs/java/cacerts                                                                             ✔  310  10:36:33 
Enter keystore password:  
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 134 entries

Answer 1

read should be password free, only write operations should need a password

You misunderstand the purpose of the password. The password is (in effect) a decryption key for the keystore. It protects against unauthorized reads, irrespective of file system permissions.

If you want / need to allow reads without a password but protect against writes, you need to use file system permissions for that. The following Q&A explains how to remove the default password:

• How do I get into a non-password protected Java keystore or change the password?

---

Here's an explanation why a password controlling write (and not read) cannot work.

Suppose that the trusted key store is readable without a password. A user could then do the following:

• Read the keys in the keystore
• Create a new (empty) keystore
• Write the keys to the new keystore
• Rename the new keystore so that it replaces the old keystore.

This could be done using a custom Java application or (probably) the standard keytool utility and the mv command.

The only way that you can prevent this is to stop the application (or the user) from replacing the old keystore with the new one via file system permissions. If you can't do that (e.g. because the user has admin-level access) then there is no solution that doesn't have security holes.