UnsupportedOperationException when using KeyStore.getEntry()?

I'm trying to retrieve entries from a Java KeyStore on Mac OSX 10.6. My code runs fine on Windows and Linux, but when I run it on OSX I get the following Exception:

java.lang.UnsupportedOperationException
    at java.security.KeyStoreSpi.engineGetEntry(KeyStoreSpi.java:466)
    at java.security.KeyStore.getEntry(KeyStore.java:1261)

Here's my code:

String keyStorePath = ...
P开发者_运维百科asswordProtection pp = new PasswordProtection("password".toCharArray());
CallbackHandlerProtection chp = new CallbackHandlerProtection(
        new CallbackHandler() {

            @Override
            public void handle(Callback[] callbacks)
                    throws IOException, UnsupportedCallbackException {
                for (int i = 0; i < callbacks.length; i++) {
                    if (callbacks[i] instanceof PasswordCallback) {
                        PasswordCallback pc = (PasswordCallback) callbacks[i];
                        pc.setPassword("password".toCharArray());
                    }
                }
            }
        });

try {
    KeyStore.Builder kb = Builder.newInstance("JCEKS", null, new File(
            keyStorePath), chp);
    KeyStore ks = kb.getKeyStore();

    Enumeration<String> aliases = ks.aliases();
    while (aliases.hasMoreElements()) {
        String alias = aliases.nextElement();
        KeyStore.Entry entry = ks.getEntry(alias, chp);

    }
} catch (Exception e) {
    e.printStackTrace();
}

Any idea why this exception is being thrown on OSX? Is it a bug in the JVM on this OS? Anyone ever seen this before?

Looking at the implementation of KeyStoreSpi.java at line 466 reveals the following:

public KeyStore.Entry engineGetEntry(String alias, ...) throws ... {

    ...

    if (protParam instanceof KeyStore.PasswordProtection) {
        if (engineIsCertificateEntry(alias)) {
            throw new UnsupportedOperationException
                ("trusted certificate entries are not password-protected");
        } else if ...
    }

    ...
}

There you have the exact conditions for which it throws the exception.

So when does engineIsCertificateEntry(alias) return true?

According to the documentation it does so...

... if the entry identified by the given alias was created by a call to setCertificateEntry, or created by a call to setEntry with a TrustedCertificateEntry

The method is however abstract, so it is hard to dig further without knowing the exact implementation being used. According to your description, the logic seems to differ slightly between implementations.

Looks to be a bug in Apple's implementation of the JVM. I've submitted a bug report. Thanks for your help!