RFR: 8312383: Log X509ExtendedKeyManager implementation class name in TLS/SSL connection

[Prajwal Kumaraswamy]

On Wed, 7 Feb 2024 14:19:03 GMT, Sean Coffey <coffeys at openjdk.org> wrote:

>> During the time of server certificate validation, users have the flexibility to use a custom X509 Key Manager implementation by extending "X509ExtendedKeyManager.".
>> In such cases, printing the class name in X509Authentication.java will be helpful to trace any failure of the SSL connection due to a certificate issue.
>> 
>> I've tested the code by running the custom X509 manager, the default X509 manager, and passing the null key manager.
>> The screen shots are attached here.
>> [x509_screen_shot_testing.zip](https://github.com/openjdk/jdk/files/14189852/x509_screen_shot_testing.zip)
>> 
>> Also, the internal test runs against this fix are green
>
> src/java.base/share/classes/sun/security/ssl/X509Authentication.java line 205:
> 
>> 203:         X509ExtendedKeyManager km = chc.sslContext.getX509KeyManager();
>> 204:         if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
>> 205:             SSLLogger.finest("X509ExtendedKeyManager being used: " +
> 
> Could the JBS title be made more descriptive ? It's quite vague.
> 
> I wonder if "X509KeyManager class: " would be better for displaying.
> 
> `createServerPossession` would also benefit from this logging enhancement. I wonder if this belongs in logging during SSLContext creation time instead. Other security-dev engineers may have opinion on that.
> 
> IIRC, there's another issue open where we iterate over the certificate contexts of custom tm/km types. The JDK src does it at the moment for the default tm/km but no output given for custom impl. Will be good to have that tied up at some stage also.

I have changed the title to reflect the specific change made here.
I'll make changes in createServerPossession as well.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/17742#discussion_r1481655887