[9] RFR 8056026 Debug security logging should print Provider used for each crypto operation
Sean Mullan
sean.mullan at oracle.com
Tue Sep 16 21:07:20 UTC 2014
On 09/16/2014 11:27 AM, Vincent Ryan wrote:
> Here's an updated webrev that supports including/excluding specific
> JCA engines:
>
> Webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.01/
Looks good, although the doDebug boolean is making my head spin, is
there an easier way to specify that?
Also, can you open a corresponding docs bug to update the
troubleshooting guide:
http://docs.oracle.com/javase/8/docs/technotes/guides/security/troubleshooting-security.html
--Sean
>
>
> For example, use the following to trace only MessageDigest and
> Signature engines:
>
> -Djava.security.debug=provider:engine=MessageDigest,Signature
>
> and use the following to trace all supported engines:
>
> -Djava.security.debug=provider
> or
> -Djava.security.debug=all
>
>
>
> On 15/09/2014 16:57, Vincent Ryan wrote:
>>
>> On 15 Sep 2014, at 16:50, Sean Mullan <sean.mullan at oracle.com> wrote:
>>
>>> On 09/15/2014 11:34 AM, Vincent Ryan wrote:
>>>> Originally I did support tracing for MessageDigest but removed it
>>>> because of the huge quantity of log messages that were generated.
>>>> Hashes are very widely used before an application even starts.
>>>> SecureRandom is similar.
>>>
>>> Hmm, it would be nice to specify the engine classes you want to see.
>>> Maybe that's too much work right now, but something like:
>>>
>>> java -Djava.security.debug="provider engine=MessageDigest,Signature" …
>>
>> We can log the JCE provider for all engine classes by default and also
>> support a filtering mechanism using the ‘engine' sub-option as you
>> suggest above.
>>
>>
>>>
>>>> Also I omitted KeyStore log messages because there is usually only a
>>>> single implementation for a given keystore type so the
>>>> JCE provider which has been selected is obvious. I’ll add support
>>>> for KeyStore.
>>>
>>> Ok. I think it would be primarily useful to see the KeyStore when
>>> PKCS11 is used with unextractable keys to help debug any subsequent
>>> delayed provider selection.
>>>
>>> --Sean
>>>
>>>>
>>>>
>>>> On 15 Sep 2014, at 16:12, Sean Mullan <sean.mullan at oracle.com> wrote:
>>>>
>>>>> Can you also add similar log messages for MessageDigest,
>>>>> SecureRandom, and KeyStore?
>>>>>
>>>>> Otherwise looks good. Please add a noreg label. Also the fix is
>>>>> helpful to any platform and not just solaris/sparc so you should
>>>>> change those fields to be generic.
>>>>>
>>>>> --Sean
>>>>>
>>>>> On 09/12/2014 11:11 AM, Vincent Ryan wrote:
>>>>>>
>>>>>> Please review this change to display the JCE provider that has been
>>>>>> selected for common crypto operations.
>>>>>> This aids troubleshooting crypto applications when a given crypto
>>>>>> algorithm is supported by several JCE providers.
>>>>>> Some crypto operations delay selecting a provider until they
>>>>>> examine the
>>>>>> key supplied in the init() method.
>>>>>> This fix also accommodates that behaviour.
>>>>>>
>>>>>> The following crypto operations are supported: Cipher, KeyAgreement,
>>>>>> KeyGenerator, KeyPairGenerator, Mac and Signature.
>>>>>> To see these new messages, activate JCE provider debugging as normal.
>>>>>> For example,
>>>>>>
>>>>>> % java -Djava.security.debug=provider MySSLClientApp
>>>>>> :
>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>> Provider: Signature.SHA1withDSA verification from: SunPKCS11-Solaris
>>>>>> Provider: Signature.SHA1withDSA verification from: SunPKCS11-Solaris
>>>>>> Provider: Signature.MD5withRSA verification from: SunPKCS11-Solaris
>>>>>> Provider: Signature.MD5withRSA verification from: SunPKCS11-Solaris
>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>> Provider: KeyPairGenerator.EC from: SunPKCS11-Solaris
>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>> Provider: KeyGenerator.SunTls12RsaPremasterSecret from: SunJCE
>>>>>> Provider: Cipher.RSA/ECB/PKCS1Padding key wrapping from:
>>>>>> SunPKCS11-Solaris
>>>>>> Provider: KeyGenerator.SunTls12MasterSecret from: SunJCE
>>>>>> Provider: KeyGenerator.SunTls12KeyMaterial from: SunJCE
>>>>>> Provider: Signature.SHA512withRSA signing from: SunPKCS11-Solaris
>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>> Provider: KeyGenerator.SunTls12KeyMaterial from: SunJCE
>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>> :
>>>>>>
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8056026
>>>>>> Webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.00/
>>>>
>>
More information about the security-dev
mailing list