I have a JKS file which was generated using a password. I have a java code that uses that keystore to connect to a url. Now when I load the keystore, I had mistakenly passed the password as null. But to my amazement, the connection still went through.

KeyStore store = KeyStore.getInstance("JKS");
store.load(stream, null);

This kind of behavior looked suspicious to me. Is there an explanation for this?

EDIT:

If this behavior is as expected, then why is the passphrase required when creating a keystore via keytool?

If you don't supply the password:

1. The keystore isn't integrity-checked on opening.
2. You can't access any private-key entries.

For a KeyStore used as a truststore, i.e. containing only trusted certificates, this is a normal usage.

If this behavior is as expected, then why is the passphrase required when creating a keystore via keytool?

So that you can supply one on opening, so as to get the behaviour at (1) or (2) above.

Hm, I think that the passphrase you're passing is to ensure integrity of the keystore itself (upon changing the contents itself). However, if no passphrase provided, the contents (keys/certificates) can still be read - which is what you're experiencing.

For illustration purposes, you can also view contents of a keystore by running the command:keytool -list -keystore <keystore> - which does not imply passing a passphrase to the keystore itself.

You can also read more about this related to the load()-function itself on the KeyStore-object here: http://docs.oracle.com/javase/7/docs/api/java/security/KeyStore.html#load(java.io.InputStream,%20char[]).

stream - the input stream from which the keystore is loaded, or null

password - the password used to check the integrity of the keystore, the password used to unlock the keystore, or null