[9] RFR 8056026 Debug security logging should print Provider used for each crypto operation

Sean Mullan sean.mullan at oracle.com
Wed Sep 17 19:12:15 UTC 2014 

Looks good to me.

--Sean

On 09/17/2014 06:33 AM, Vincent Ryan wrote:
> I’ve renamed that boolean flag and inverted its logic:
>
> - privatestaticfinalbooleandoDebug = !(Debug.isOn("engine=") &&
> !Debug.isOn(“XXX"));
> + privatestaticfinalbooleanskipDebug = Debug.isOn("engine=") &&
> !Debug.isOn(“XXX”);
>
>
> Updated webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.02/
>
> Docs bug: https://bugs.openjdk.java.net/browse/JDK-8058624
>
>
> On 16 Sep 2014, at 22:07, Sean Mullan <sean.mullan at oracle.com
> <mailto:sean.mullan at oracle.com>> wrote:
>
>> On 09/16/2014 11:27 AM, Vincent Ryan wrote:
>>> Here's an updated webrev that supports including/excluding specific
>>> JCA engines:
>>>
>>> Webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.01/
>>
>> Looks good, although the doDebug boolean is making my head spin, is
>> there an easier way to specify that?
>>
>> Also, can you open a corresponding docs bug to update the
>> troubleshooting guide:
>> http://docs.oracle.com/javase/8/docs/technotes/guides/security/troubleshooting-security.html
>>
>> --Sean
>>
>>>
>>>
>>> For example, use the following to trace only MessageDigest and
>>> Signature engines:
>>>
>>>     -Djava.security.debug=provider:engine=MessageDigest,Signature
>>>
>>> and use the following to trace all supported engines:
>>>
>>>     -Djava.security.debug=provider
>>> or
>>>     -Djava.security.debug=all
>>>
>>>
>>>
>>> On 15/09/2014 16:57, Vincent Ryan wrote:
>>>>
>>>> On 15 Sep 2014, at 16:50, Sean Mullan <sean.mullan at oracle.com
>>>> <mailto:sean.mullan at oracle.com>> wrote:
>>>>
>>>>> On 09/15/2014 11:34 AM, Vincent Ryan wrote:
>>>>>> Originally I did support tracing for MessageDigest but removed it
>>>>>> because of the huge quantity of log messages that were generated.
>>>>>> Hashes are very widely used before an application even starts.
>>>>>> SecureRandom is similar.
>>>>>
>>>>> Hmm, it would be nice to specify the engine classes you want to see.
>>>>> Maybe that's too much work right now, but something like:
>>>>>
>>>>> java -Djava.security.debug="provider engine=MessageDigest,Signature" …
>>>>
>>>> We can log the JCE provider for all engine classes by default and also
>>>> support a filtering mechanism using the ‘engine' sub-option as you
>>>> suggest above.
>>>>
>>>>
>>>>>
>>>>>> Also I omitted KeyStore log messages because there is usually only a
>>>>>> single implementation for a given keystore type so the
>>>>>> JCE provider which has been selected is obvious. I’ll add support
>>>>>> for KeyStore.
>>>>>
>>>>> Ok. I think it would be primarily useful to see the KeyStore when
>>>>> PKCS11 is used with unextractable keys to help debug any subsequent
>>>>> delayed provider selection.
>>>>>
>>>>> --Sean
>>>>>
>>>>>>
>>>>>>
>>>>>> On 15 Sep 2014, at 16:12, Sean Mullan <sean.mullan at oracle.com
>>>>>> <mailto:sean.mullan at oracle.com>> wrote:
>>>>>>
>>>>>>> Can you also add similar log messages for MessageDigest,
>>>>>>> SecureRandom, and KeyStore?
>>>>>>>
>>>>>>> Otherwise looks good. Please add a noreg label. Also the fix is
>>>>>>> helpful to any platform and not just solaris/sparc so you should
>>>>>>> change those fields to be generic.
>>>>>>>
>>>>>>> --Sean
>>>>>>>
>>>>>>> On 09/12/2014 11:11 AM, Vincent Ryan wrote:
>>>>>>>>
>>>>>>>> Please review this change to display the JCE provider that has been
>>>>>>>> selected for common crypto operations.
>>>>>>>> This aids troubleshooting crypto applications when a given crypto
>>>>>>>> algorithm is supported by several JCE providers.
>>>>>>>> Some crypto operations delay selecting a provider until they
>>>>>>>> examine the
>>>>>>>> key supplied in the init() method.
>>>>>>>> This fix also accommodates that behaviour.
>>>>>>>>
>>>>>>>> The following crypto operations are supported: Cipher, KeyAgreement,
>>>>>>>> KeyGenerator, KeyPairGenerator, Mac and Signature.
>>>>>>>> To see these new messages, activate JCE provider debugging as
>>>>>>>> normal.
>>>>>>>> For example,
>>>>>>>>
>>>>>>>> % java -Djava.security.debug=provider MySSLClientApp
>>>>>>>>  :
>>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>>> Provider: Signature.SHA1withDSA verification from: SunPKCS11-Solaris
>>>>>>>> Provider: Signature.SHA1withDSA verification from: SunPKCS11-Solaris
>>>>>>>> Provider: Signature.MD5withRSA verification from: SunPKCS11-Solaris
>>>>>>>> Provider: Signature.MD5withRSA verification from: SunPKCS11-Solaris
>>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>>> Provider: KeyPairGenerator.EC from: SunPKCS11-Solaris
>>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>>> Provider: KeyGenerator.SunTls12RsaPremasterSecret from: SunJCE
>>>>>>>> Provider: Cipher.RSA/ECB/PKCS1Padding key wrapping from:
>>>>>>>> SunPKCS11-Solaris
>>>>>>>> Provider: KeyGenerator.SunTls12MasterSecret from: SunJCE
>>>>>>>> Provider: KeyGenerator.SunTls12KeyMaterial from: SunJCE
>>>>>>>> Provider: Signature.SHA512withRSA signing from: SunPKCS11-Solaris
>>>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>>> Provider: KeyGenerator.SunTls12KeyMaterial from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
>>>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
>>>>>>>>  :
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>>
>>>>>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8056026
>>>>>>>> Webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.00/
>>>>>>
>>>>
>

More information about the security-dev mailing list