[9] RFR 8056026 Debug security logging should print Provider used for each crypto operation

Seán Coffey sean.coffey at oracle.com
Wed Sep 17 15:00:01 UTC 2014


Thanks for tackling this one Vinnie. It'll certainly help better debug 
environments
where several providers are available to perform similar crypto operations.

One minor suggestion might be to use a simple boolean to control whether
the engine provider info gets printed.

i.e. change "private static final boolean skipDebug = 
Debug.isOn("engine=") && !Debug.isOn(“XXX”);"
to "private static final boolean printProviderEngine =
           pdebug != null && Debug.isOn("engine=") && Debug.isOn(“XXX”);

Might read better but minor like I say.

regards,
Sean.

On 17/09/14 11:33, Vincent Ryan wrote:
> I’ve renamed that boolean flag and inverted its logic:
>
> - privatestaticfinalbooleandoDebug = !(Debug.isOn("engine=") && 
> !Debug.isOn(“XXX"));
> + privatestaticfinalbooleanskipDebug = Debug.isOn("engine=") && 
> !Debug.isOn(“XXX”);
>
>
> Updated webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.02/ 
> <http://cr.openjdk.java.net/%7Evinnie/8056026/webrev.02/>
>
> Docs bug: https://bugs.openjdk.java.net/browse/JDK-8058624
>
>
> On 16 Sep 2014, at 22:07, Sean Mullan <sean.mullan at oracle.com 
> <mailto:sean.mullan at oracle.com>> wrote:
>
>> On 09/16/2014 11:27 AM, Vincent Ryan wrote:
>>> Here's an updated webrev that supports including/excluding specific
>>> JCA engines:
>>>
>>> Webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.01/ 
>>> <http://cr.openjdk.java.net/%7Evinnie/8056026/webrev.01/>
>>
>> Looks good, although the doDebug boolean is making my head spin, is 
>> there an easier way to specify that?
>>
>> Also, can you open a corresponding docs bug to update the 
>> troubleshooting guide: 
>> http://docs.oracle.com/javase/8/docs/technotes/guides/security/troubleshooting-security.html
>>
>> --Sean
>>
>>>
>>>
>>> For example, use the following to trace only MessageDigest and
>>> Signature engines:
>>>
>>>     -Djava.security.debug=provider:engine=MessageDigest,Signature
>>>
>>> and use the following to trace all supported engines:
>>>
>>>     -Djava.security.debug=provider
>>> or
>>>     -Djava.security.debug=all
>>>
>>>
>>>
>>> On 15/09/2014 16:57, Vincent Ryan wrote:
>>>>
>>>> On 15 Sep 2014, at 16:50, Sean Mullan <sean.mullan at oracle.com 
>>>> <mailto:sean.mullan at oracle.com>> wrote:
>>>>
>>>>> On 09/15/2014 11:34 AM, Vincent Ryan wrote:
>>>>>> Originally I did support tracing for MessageDigest but removed it
>>>>>> because of the huge quantity of log messages that were generated.
>>>>>> Hashes are very widely used before an application even starts.
>>>>>> SecureRandom is similar.
>>>>>
>>>>> Hmm, it would be nice to specify the engine classes you want to see.
>>>>> Maybe that's too much work right now, but something like:
>>>>>
>>>>> java -Djava.security.debug="provider engine=MessageDigest,Signature" …
>>>>
>>>> We can log the JCE provider for all engine classes by default and also
>>>> support a filtering mechanism using the ‘engine' sub-option as you
>>>> suggest above.
>>>>
>>>>
>>>>>
>>>>>> Also I omitted KeyStore log messages because there is usually only a
>>>>>> single implementation for a given keystore type so the
>>>>>> JCE provider which has been selected is obvious. I’ll add support
>>>>>> for KeyStore.
>>>>>
>>>>> Ok. I think it would be primarily useful to see the KeyStore when
>>>>> PKCS11 is used with unextractable keys to help debug any subsequent
>>>>> delayed provider selection.
>>>>>
>>>>> --Sean
>>>>>
>>>>>>
>>>>>>
>>>>>> On 15 Sep 2014, at 16:12, Sean Mullan <sean.mullan at oracle.com 
>>>>>> <mailto:sean.mullan at oracle.com>> wrote:
>>>>>>
>>>>>>> Can you also add similar log messages for MessageDigest,
>>>>>>> SecureRandom, and KeyStore?
>>>>>>>
>>>>>>> Otherwise looks good. Please add a noreg label. Also the fix is
>>>>>>> helpful to any platform and not just solaris/sparc so you should
>>>>>>> change those fields to be generic.
>>>>>>>
>>>>>>> --Sean
>>>>>>>
>>>>>>> On 09/12/2014 11:11 AM, Vincent Ryan wrote:
>>>>>>>>
>>>>>>>> Please review this change to display the JCE provider that has been
>>>>>>>> selected for common crypto operations.
>>>>>>>> This aids troubleshooting crypto applications when a given crypto
>>>>>>>> algorithm is supported by several JCE providers.
>>>>>>>> Some crypto operations delay selecting a provider until they
>>>>>>>> examine the
>>>>>>>> key supplied in the init() method.
>>>>>>>> This fix also accommodates that behaviour.
>>>>>>>>
>>>>>>>> The following crypto operations are supported: Cipher, 
>>>>>>>> KeyAgreement,
>>>>>>>> KeyGenerator, KeyPairGenerator, Mac and Signature.
>>>>>>>> To see these new messages, activate JCE provider debugging as 
>>>>>>>> normal.
>>>>>>>> For example,
>>>>>>>>
>>>>>>>> % java -Djava.security.debug=provider MySSLClientApp
>>>>>>>>  :
>>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>>> Provider: Signature.SHA1withDSA verification from: 
>>>>>>>> SunPKCS11-Solaris
>>>>>>>> Provider: Signature.SHA1withDSA verification from: 
>>>>>>>> SunPKCS11-Solaris
>>>>>>>> Provider: Signature.MD5withRSA verification from: SunPKCS11-Solaris
>>>>>>>> Provider: Signature.MD5withRSA verification from: SunPKCS11-Solaris
>>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>>> Provider: KeyPairGenerator.EC from: SunPKCS11-Solaris
>>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>>> Provider: KeyGenerator.SunTls12RsaPremasterSecret from: SunJCE
>>>>>>>> Provider: Cipher.RSA/ECB/PKCS1Padding key wrapping from:
>>>>>>>> SunPKCS11-Solaris
>>>>>>>> Provider: KeyGenerator.SunTls12MasterSecret from: SunJCE
>>>>>>>> Provider: KeyGenerator.SunTls12KeyMaterial from: SunJCE
>>>>>>>> Provider: Signature.SHA512withRSA signing from: SunPKCS11-Solaris
>>>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>>> Provider: KeyGenerator.SunTls12KeyMaterial from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>>>  :
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>>
>>>>>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8056026
>>>>>>>> Webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.00/ 
>>>>>>>> <http://cr.openjdk.java.net/%7Evinnie/8056026/webrev.00/>
>>>>>>
>>>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20140917/d18acb3d/attachment-0001.html>


More information about the security-dev mailing list