RFR: 8329251: Print custom truststore/ keystore name [v4]

Sean Coffey coffeys at openjdk.org
Fri Oct 11 10:13:11 UTC 2024 

On Mon, 7 Oct 2024 12:42:00 GMT, Prasadrao Koppula <pkoppula at openjdk.org> wrote:

>> Using SharedSecrets, I attempted to expose FileInputStream::path information. After implementing the fix, I validated the startup performance tests. Observed no consistent pattern of performance drops or gains, can disregard the occasional performance drop observed in 1 or 2 runs.
>
> Prasadrao Koppula has updated the pull request incrementally with one additional commit since the last revision:
> 
>   JDK-8329251

src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java line 1972:

> 1970:                                 .getPath((FileInputStream) stream);
> 1971:                 if (keystorePath != null) {
> 1972:                     debug.println("PKCS12KeyStore: Loading \"" + keystorePath.substring(

I ran a straightforward test to connect to a TLS website and expected to see the cacerts file details being printed. 

`BufferedInputStream` is used for `InputStream` instance

sun.security.util.KeyStoreDelegator#engineLoad


            InputStream bufferedStream = new BufferedInputStream(stream);
            bufferedStream.mark(Integer.MAX_VALUE);

            try {
                @SuppressWarnings("deprecation")
                KeyStoreSpi tmp = primaryKeyStore.newInstance();
                tmp.engineLoad(bufferedStream, password);


You'll need to get a handle to the BufferedInputStream -> FilterInputStream -> `in` stream and check if it's an instance of a `FileInputStream`. You can then query and print the path value if present.

On a side note, I was surprised to see no debug output (of interest) initially when I was using the `-Djava.security.debug=keystore` value. Turns out I have to use the `pkcs12` value for debug option. Given that PKCS12KeyStore.java is the only file to use this debug value and that pkcs12 is now the default keystore type, there might be merit in folding this value into the more common `keystore` option

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/20414#discussion_r1796741288

More information about the security-dev mailing list