[9] RFR 8056026 Debug security logging should print Provider used for each crypto operation

Vincent Ryan vincent.x.ryan at oracle.com
Tue Sep 16 15:27:24 UTC 2014 

Here's an updated webrev that supports including/excluding specific
JCA engines:

Webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.01/


For example, use the following to trace only MessageDigest and
Signature engines:

     -Djava.security.debug=provider:engine=MessageDigest,Signature

and use the following to trace all supported engines:

     -Djava.security.debug=provider
or
     -Djava.security.debug=all



On 15/09/2014 16:57, Vincent Ryan wrote:
>
> On 15 Sep 2014, at 16:50, Sean Mullan <sean.mullan at oracle.com> wrote:
>
>> On 09/15/2014 11:34 AM, Vincent Ryan wrote:
>>> Originally I did support tracing for MessageDigest but removed it because of the huge quantity of log messages that were generated.
>>> Hashes are very widely used before an application even starts. SecureRandom is similar.
>>
>> Hmm, it would be nice to specify the engine classes you want to see. Maybe that's too much work right now, but something like:
>>
>> java -Djava.security.debug="provider engine=MessageDigest,Signature" …
>
> We can log the JCE provider for all engine classes by default and also support a filtering mechanism using the ‘engine' sub-option as you suggest above.
>
>
>>
>>> Also I omitted KeyStore log messages because there is usually only a single implementation for a given keystore type so the
>>> JCE provider which has been selected is obvious. I’ll add support for KeyStore.
>>
>> Ok. I think it would be primarily useful to see the KeyStore when PKCS11 is used with unextractable keys to help debug any subsequent delayed provider selection.
>>
>> --Sean
>>
>>>
>>>
>>> On 15 Sep 2014, at 16:12, Sean Mullan <sean.mullan at oracle.com> wrote:
>>>
>>>> Can you also add similar log messages for MessageDigest, SecureRandom, and KeyStore?
>>>>
>>>> Otherwise looks good. Please add a noreg label. Also the fix is helpful to any platform and not just solaris/sparc so you should change those fields to be generic.
>>>>
>>>> --Sean
>>>>
>>>> On 09/12/2014 11:11 AM, Vincent Ryan wrote:
>>>>>
>>>>> Please review this change to display the JCE provider that has been
>>>>> selected for common crypto operations.
>>>>> This aids troubleshooting crypto applications when a given crypto
>>>>> algorithm is supported by several JCE providers.
>>>>> Some crypto operations delay selecting a provider until they examine the
>>>>> key supplied in the init() method.
>>>>> This fix also accommodates that behaviour.
>>>>>
>>>>> The following crypto operations are supported: Cipher, KeyAgreement,
>>>>> KeyGenerator, KeyPairGenerator, Mac and Signature.
>>>>> To see these new messages, activate JCE provider debugging as normal.
>>>>> For example,
>>>>>
>>>>> % java -Djava.security.debug=provider MySSLClientApp
>>>>>   :
>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>> Provider: Signature.SHA1withDSA verification from: SunPKCS11-Solaris
>>>>> Provider: Signature.SHA1withDSA verification from: SunPKCS11-Solaris
>>>>> Provider: Signature.MD5withRSA verification from: SunPKCS11-Solaris
>>>>> Provider: Signature.MD5withRSA verification from: SunPKCS11-Solaris
>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>> Provider: KeyPairGenerator.EC from: SunPKCS11-Solaris
>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>> Provider: KeyGenerator.SunTls12RsaPremasterSecret from: SunJCE
>>>>> Provider: Cipher.RSA/ECB/PKCS1Padding key wrapping from: SunPKCS11-Solaris
>>>>> Provider: KeyGenerator.SunTls12MasterSecret from: SunJCE
>>>>> Provider: KeyGenerator.SunTls12KeyMaterial from: SunJCE
>>>>> Provider: Signature.SHA512withRSA signing from: SunPKCS11-Solaris
>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>> Provider: KeyGenerator.SunTls12KeyMaterial from: SunJCE
>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>   :
>>>>>
>>>>>
>>>>> Thanks.
>>>>>
>>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8056026
>>>>> Webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.00/
>>>
>

More information about the security-dev mailing list