[9] RFR 8056026 Debug security logging should print Provider used for each crypto operation

Vincent Ryan vincent.x.ryan at oracle.com
Wed Sep 17 10:33:58 UTC 2014 

I’ve renamed that boolean flag and inverted its logic:

-    private static final boolean doDebug = !(Debug.isOn("engine=") && !Debug.isOn(“XXX"));
+    private static final boolean skipDebug = Debug.isOn("engine=") && !Debug.isOn(“XXX”);


Updated webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.02/

Docs bug: https://bugs.openjdk.java.net/browse/JDK-8058624


On 16 Sep 2014, at 22:07, Sean Mullan <sean.mullan at oracle.com> wrote:

> On 09/16/2014 11:27 AM, Vincent Ryan wrote:
>> Here's an updated webrev that supports including/excluding specific
>> JCA engines:
>> 
>> Webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.01/
> 
> Looks good, although the doDebug boolean is making my head spin, is there an easier way to specify that?
> 
> Also, can you open a corresponding docs bug to update the troubleshooting guide: http://docs.oracle.com/javase/8/docs/technotes/guides/security/troubleshooting-security.html
> 
> --Sean
> 
>> 
>> 
>> For example, use the following to trace only MessageDigest and
>> Signature engines:
>> 
>>     -Djava.security.debug=provider:engine=MessageDigest,Signature
>> 
>> and use the following to trace all supported engines:
>> 
>>     -Djava.security.debug=provider
>> or
>>     -Djava.security.debug=all
>> 
>> 
>> 
>> On 15/09/2014 16:57, Vincent Ryan wrote:
>>> 
>>> On 15 Sep 2014, at 16:50, Sean Mullan <sean.mullan at oracle.com> wrote:
>>> 
>>>> On 09/15/2014 11:34 AM, Vincent Ryan wrote:
>>>>> Originally I did support tracing for MessageDigest but removed it
>>>>> because of the huge quantity of log messages that were generated.
>>>>> Hashes are very widely used before an application even starts.
>>>>> SecureRandom is similar.
>>>> 
>>>> Hmm, it would be nice to specify the engine classes you want to see.
>>>> Maybe that's too much work right now, but something like:
>>>> 
>>>> java -Djava.security.debug="provider engine=MessageDigest,Signature" …
>>> 
>>> We can log the JCE provider for all engine classes by default and also
>>> support a filtering mechanism using the ‘engine' sub-option as you
>>> suggest above.
>>> 
>>> 
>>>> 
>>>>> Also I omitted KeyStore log messages because there is usually only a
>>>>> single implementation for a given keystore type so the
>>>>> JCE provider which has been selected is obvious. I’ll add support
>>>>> for KeyStore.
>>>> 
>>>> Ok. I think it would be primarily useful to see the KeyStore when
>>>> PKCS11 is used with unextractable keys to help debug any subsequent
>>>> delayed provider selection.
>>>> 
>>>> --Sean
>>>> 
>>>>> 
>>>>> 
>>>>> On 15 Sep 2014, at 16:12, Sean Mullan <sean.mullan at oracle.com> wrote:
>>>>> 
>>>>>> Can you also add similar log messages for MessageDigest,
>>>>>> SecureRandom, and KeyStore?
>>>>>> 
>>>>>> Otherwise looks good. Please add a noreg label. Also the fix is
>>>>>> helpful to any platform and not just solaris/sparc so you should
>>>>>> change those fields to be generic.
>>>>>> 
>>>>>> --Sean
>>>>>> 
>>>>>> On 09/12/2014 11:11 AM, Vincent Ryan wrote:
>>>>>>> 
>>>>>>> Please review this change to display the JCE provider that has been
>>>>>>> selected for common crypto operations.
>>>>>>> This aids troubleshooting crypto applications when a given crypto
>>>>>>> algorithm is supported by several JCE providers.
>>>>>>> Some crypto operations delay selecting a provider until they
>>>>>>> examine the
>>>>>>> key supplied in the init() method.
>>>>>>> This fix also accommodates that behaviour.
>>>>>>> 
>>>>>>> The following crypto operations are supported: Cipher, KeyAgreement,
>>>>>>> KeyGenerator, KeyPairGenerator, Mac and Signature.
>>>>>>> To see these new messages, activate JCE provider debugging as normal.
>>>>>>> For example,
>>>>>>> 
>>>>>>> % java -Djava.security.debug=provider MySSLClientApp
>>>>>>>  :
>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>> Provider: Signature.SHA1withDSA verification from: SunPKCS11-Solaris
>>>>>>> Provider: Signature.SHA1withDSA verification from: SunPKCS11-Solaris
>>>>>>> Provider: Signature.MD5withRSA verification from: SunPKCS11-Solaris
>>>>>>> Provider: Signature.MD5withRSA verification from: SunPKCS11-Solaris
>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>> Provider: KeyPairGenerator.EC from: SunPKCS11-Solaris
>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>> Provider: KeyGenerator.SunTls12RsaPremasterSecret from: SunJCE
>>>>>>> Provider: Cipher.RSA/ECB/PKCS1Padding key wrapping from:
>>>>>>> SunPKCS11-Solaris
>>>>>>> Provider: KeyGenerator.SunTls12MasterSecret from: SunJCE
>>>>>>> Provider: KeyGenerator.SunTls12KeyMaterial from: SunJCE
>>>>>>> Provider: Signature.SHA512withRSA signing from: SunPKCS11-Solaris
>>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>> Provider: KeyGenerator.SunTls12KeyMaterial from: SunJCE
>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>>  :
>>>>>>> 
>>>>>>> 
>>>>>>> Thanks.
>>>>>>> 
>>>>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8056026
>>>>>>> Webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.00/
>>>>> 
>>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20140917/4e5e60b8/attachment.htm>

More information about the security-dev mailing list