[9] RFR 8056026 Debug security logging should print Provider used for each crypto operation

Vincent Ryan vincent.x.ryan at oracle.com
Mon Sep 15 15:57:22 UTC 2014 

On 15 Sep 2014, at 16:50, Sean Mullan <sean.mullan at oracle.com> wrote:

> On 09/15/2014 11:34 AM, Vincent Ryan wrote:
>> Originally I did support tracing for MessageDigest but removed it because of the huge quantity of log messages that were generated.
>> Hashes are very widely used before an application even starts. SecureRandom is similar.
> 
> Hmm, it would be nice to specify the engine classes you want to see. Maybe that's too much work right now, but something like:
> 
> java -Djava.security.debug="provider engine=MessageDigest,Signature" …

We can log the JCE provider for all engine classes by default and also support a filtering mechanism using the ‘engine' sub-option as you suggest above.


> 
>> Also I omitted KeyStore log messages because there is usually only a single implementation for a given keystore type so the
>> JCE provider which has been selected is obvious. I’ll add support for KeyStore.
> 
> Ok. I think it would be primarily useful to see the KeyStore when PKCS11 is used with unextractable keys to help debug any subsequent delayed provider selection.
> 
> --Sean
> 
>> 
>> 
>> On 15 Sep 2014, at 16:12, Sean Mullan <sean.mullan at oracle.com> wrote:
>> 
>>> Can you also add similar log messages for MessageDigest, SecureRandom, and KeyStore?
>>> 
>>> Otherwise looks good. Please add a noreg label. Also the fix is helpful to any platform and not just solaris/sparc so you should change those fields to be generic.
>>> 
>>> --Sean
>>> 
>>> On 09/12/2014 11:11 AM, Vincent Ryan wrote:
>>>> 
>>>> Please review this change to display the JCE provider that has been
>>>> selected for common crypto operations.
>>>> This aids troubleshooting crypto applications when a given crypto
>>>> algorithm is supported by several JCE providers.
>>>> Some crypto operations delay selecting a provider until they examine the
>>>> key supplied in the init() method.
>>>> This fix also accommodates that behaviour.
>>>> 
>>>> The following crypto operations are supported: Cipher, KeyAgreement,
>>>> KeyGenerator, KeyPairGenerator, Mac and Signature.
>>>> To see these new messages, activate JCE provider debugging as normal.
>>>> For example,
>>>> 
>>>> % java -Djava.security.debug=provider MySSLClientApp
>>>>  :
>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>> Provider: Signature.SHA1withDSA verification from: SunPKCS11-Solaris
>>>> Provider: Signature.SHA1withDSA verification from: SunPKCS11-Solaris
>>>> Provider: Signature.MD5withRSA verification from: SunPKCS11-Solaris
>>>> Provider: Signature.MD5withRSA verification from: SunPKCS11-Solaris
>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>> Provider: KeyPairGenerator.EC from: SunPKCS11-Solaris
>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>> Provider: KeyGenerator.SunTls12RsaPremasterSecret from: SunJCE
>>>> Provider: Cipher.RSA/ECB/PKCS1Padding key wrapping from: SunPKCS11-Solaris
>>>> Provider: KeyGenerator.SunTls12MasterSecret from: SunJCE
>>>> Provider: KeyGenerator.SunTls12KeyMaterial from: SunJCE
>>>> Provider: Signature.SHA512withRSA signing from: SunPKCS11-Solaris
>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>> Provider: KeyGenerator.SunTls12KeyMaterial from: SunJCE
>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>  :
>>>> 
>>>> 
>>>> Thanks.
>>>> 
>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8056026
>>>> Webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.00/
>>

More information about the security-dev mailing list