<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Thanks for tackling this one Vinnie. It'll certainly help better
debug environments<br>
where several providers are available to perform similar crypto
operations.<br>
<br>
One minor suggestion might be to use a simple boolean to control
whether<br>
the engine provider info gets printed.<br>
<br>
i.e. change "private static final boolean skipDebug =
Debug.isOn("engine=") && !Debug.isOn(“XXX”);"<br>
to "private static final boolean printProviderEngine = <br>
pdebug != null && Debug.isOn("engine=") &&
Debug.isOn(“XXX”);<br>
<br>
Might read better but minor like I say.<br>
<br>
regards,<br>
Sean.<br>
<br>
<div class="moz-cite-prefix">On 17/09/14 11:33, Vincent Ryan wrote:<br>
</div>
<blockquote
cite="mid:7C8A77B0-52D2-4C50-9A71-7B71EB49EEEE@oracle.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div>I’ve renamed that boolean flag and inverted its logic:</div>
<div><br>
</div>
<div>
<div style="margin: 0px;"><span style="color: rgb(0, 0, 0);
font-family: Menlo; font-size: 11px;">- </span><font
color="#34bd26" face="Menlo"><span style="font-size: 11px;">private</span></font><span
style="color: rgb(0, 0, 0); font-family: Menlo; font-size:
11px;"> </span><font color="#34bd26" face="Menlo"><span
style="font-size: 11px;">static</span></font><span
style="color: rgb(0, 0, 0); font-family: Menlo; font-size:
11px;"> </span><font color="#34bd26" face="Menlo"><span
style="font-size: 11px;">final</span></font><span
style="color: rgb(0, 0, 0); font-family: Menlo; font-size:
11px;"> </span><font color="#34bd26" face="Menlo"><span
style="font-size: 11px;">boolean</span></font><span
style="color: rgb(0, 0, 0); font-family: Menlo; font-size:
11px;"> doDebug = </span><font color="#34bd26" face="Menlo"><span
style="font-size: 11px;">!</span></font><span
style="color: rgb(52, 189, 38); font-family: Menlo;
font-size: 11px; background-color: rgb(0, 166, 178);">(</span><font
color="#34bd26" face="Menlo"><span style="font-size: 11px;">Debug.isOn(</span></font><span
style="color: rgb(195, 55, 32); font-family: Menlo;
font-size: 11px;">"engine="</span><font color="#34bd26"
face="Menlo"><span style="font-size: 11px;">) &&
!Debug.isOn(</span></font><font color="#c33720"
face="Menlo"><span style="font-size: 11px;">“XXX"</span></font><font
color="#34bd26" face="Menlo"><span style="font-size: 11px;">)</span></font><span
style="color: rgb(52, 189, 38); font-family: Menlo;
font-size: 11px; background-color: rgb(0, 166, 178);">)</span><font
color="#34bd26" face="Menlo"><span style="font-size: 11px;">;</span></font></div>
</div>
<div>
<div style="margin: 0px; font-size: 11px; font-family: Menlo;
color: rgb(52, 189, 38);"><span style="color: #000000">+ </span>private<span
style="color: #000000"> </span>static<span style="color:
#000000"> </span>final<span style="color: #000000"> </span>boolean<span
style="color: #000000"> skipDebug = </span><font
face="Menlo">Debug.isOn(</font><span style="color: rgb(195,
55, 32);">"engine="</span><font face="Menlo">) &&
!Debug.isOn(</font><font color="#c33720" face="Menlo">“XXX”</font><font
face="Menlo">);</font></div>
</div>
<div style="margin: 0px; font-size: 11px; font-family: Menlo;"><br>
</div>
<div style="margin: 0px; font-size: 11px; font-family: Menlo;"><br>
</div>
<div>Updated webrev: <a moz-do-not-send="true"
href="http://cr.openjdk.java.net/%7Evinnie/8056026/webrev.02/">http://cr.openjdk.java.net/~vinnie/8056026/webrev.02/</a></div>
<div><br>
</div>
Docs bug: <a moz-do-not-send="true"
href="https://bugs.openjdk.java.net/browse/JDK-8058624">https://bugs.openjdk.java.net/browse/JDK-8058624</a>
<div><br>
</div>
<div><br>
<div>
<div>On 16 Sep 2014, at 22:07, Sean Mullan <<a
moz-do-not-send="true"
href="mailto:sean.mullan@oracle.com">sean.mullan@oracle.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">On 09/16/2014 11:27 AM, Vincent Ryan
wrote:<br>
<blockquote type="cite">Here's an updated webrev that
supports including/excluding specific<br>
JCA engines:<br>
<br>
Webrev: <a moz-do-not-send="true"
href="http://cr.openjdk.java.net/%7Evinnie/8056026/webrev.01/">http://cr.openjdk.java.net/~vinnie/8056026/webrev.01/</a><br>
</blockquote>
<br>
Looks good, although the doDebug boolean is making my head
spin, is there an easier way to specify that?<br>
<br>
Also, can you open a corresponding docs bug to update the
troubleshooting guide: <a moz-do-not-send="true"
href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/troubleshooting-security.html">http://docs.oracle.com/javase/8/docs/technotes/guides/security/troubleshooting-security.html</a><br>
<br>
--Sean<br>
<br>
<blockquote type="cite"><br>
<br>
For example, use the following to trace only MessageDigest
and<br>
Signature engines:<br>
<br>
-Djava.security.debug=provider:engine=MessageDigest,Signature<br>
<br>
and use the following to trace all supported engines:<br>
<br>
-Djava.security.debug=provider<br>
or<br>
-Djava.security.debug=all<br>
<br>
<br>
<br>
On 15/09/2014 16:57, Vincent Ryan wrote:<br>
<blockquote type="cite"><br>
On 15 Sep 2014, at 16:50, Sean Mullan <<a
moz-do-not-send="true"
href="mailto:sean.mullan@oracle.com">sean.mullan@oracle.com</a>>
wrote:<br>
<br>
<blockquote type="cite">On 09/15/2014 11:34 AM, Vincent
Ryan wrote:<br>
<blockquote type="cite">Originally I did support
tracing for MessageDigest but removed it<br>
because of the huge quantity of log messages that
were generated.<br>
Hashes are very widely used before an application
even starts.<br>
SecureRandom is similar.<br>
</blockquote>
<br>
Hmm, it would be nice to specify the engine classes
you want to see.<br>
Maybe that's too much work right now, but something
like:<br>
<br>
java -Djava.security.debug="provider
engine=MessageDigest,Signature" …<br>
</blockquote>
<br>
We can log the JCE provider for all engine classes by
default and also<br>
support a filtering mechanism using the ‘engine'
sub-option as you<br>
suggest above.<br>
<br>
<br>
<blockquote type="cite"><br>
<blockquote type="cite">Also I omitted KeyStore log
messages because there is usually only a<br>
single implementation for a given keystore type so
the<br>
JCE provider which has been selected is obvious.
I’ll add support<br>
for KeyStore.<br>
</blockquote>
<br>
Ok. I think it would be primarily useful to see the
KeyStore when<br>
PKCS11 is used with unextractable keys to help debug
any subsequent<br>
delayed provider selection.<br>
<br>
--Sean<br>
<br>
<blockquote type="cite"><br>
<br>
On 15 Sep 2014, at 16:12, Sean Mullan <<a
moz-do-not-send="true"
href="mailto:sean.mullan@oracle.com">sean.mullan@oracle.com</a>>
wrote:<br>
<br>
<blockquote type="cite">Can you also add similar log
messages for MessageDigest,<br>
SecureRandom, and KeyStore?<br>
<br>
Otherwise looks good. Please add a noreg label.
Also the fix is<br>
helpful to any platform and not just solaris/sparc
so you should<br>
change those fields to be generic.<br>
<br>
--Sean<br>
<br>
On 09/12/2014 11:11 AM, Vincent Ryan wrote:<br>
<blockquote type="cite"><br>
Please review this change to display the JCE
provider that has been<br>
selected for common crypto operations.<br>
This aids troubleshooting crypto applications
when a given crypto<br>
algorithm is supported by several JCE providers.<br>
Some crypto operations delay selecting a
provider until they<br>
examine the<br>
key supplied in the init() method.<br>
This fix also accommodates that behaviour.<br>
<br>
The following crypto operations are supported:
Cipher, KeyAgreement,<br>
KeyGenerator, KeyPairGenerator, Mac and
Signature.<br>
To see these new messages, activate JCE provider
debugging as normal.<br>
For example,<br>
<br>
% java -Djava.security.debug=provider
MySSLClientApp<br>
:<br>
Provider: Signature.SHA256withRSA verification
from: SunRsaSign<br>
Provider: Signature.SHA256withRSA verification
from: SunRsaSign<br>
Provider: Signature.SHA256withRSA verification
from: SunRsaSign<br>
Provider: Signature.SHA1withDSA verification
from: SunPKCS11-Solaris<br>
Provider: Signature.SHA1withDSA verification
from: SunPKCS11-Solaris<br>
Provider: Signature.MD5withRSA verification
from: SunPKCS11-Solaris<br>
Provider: Signature.MD5withRSA verification
from: SunPKCS11-Solaris<br>
Provider: Signature.SHA256withRSA verification
from: SunRsaSign<br>
Provider: Signature.SHA256withRSA verification
from: SunRsaSign<br>
Provider: KeyPairGenerator.EC from:
SunPKCS11-Solaris<br>
Provider: Signature.SHA256withRSA verification
from: SunRsaSign<br>
Provider: Signature.SHA256withRSA verification
from: SunRsaSign<br>
Provider: Cipher.AES/GCM/NoPadding encryption
from: SunJCE<br>
Provider:
KeyGenerator.SunTls12RsaPremasterSecret from:
SunJCE<br>
Provider: Cipher.RSA/ECB/PKCS1Padding key
wrapping from:<br>
SunPKCS11-Solaris<br>
Provider: KeyGenerator.SunTls12MasterSecret
from: SunJCE<br>
Provider: KeyGenerator.SunTls12KeyMaterial from:
SunJCE<br>
Provider: Signature.SHA512withRSA signing from:
SunPKCS11-Solaris<br>
Provider: KeyGenerator.SunTls12Prf from: SunJCE<br>
Provider: Cipher.AES/GCM/NoPadding encryption
from: SunJCE<br>
Provider: Cipher.AES/GCM/NoPadding decryption
from: SunJCE<br>
Provider: KeyGenerator.SunTls12Prf from: SunJCE<br>
Provider: Cipher.AES/GCM/NoPadding encryption
from: SunJCE<br>
Provider: Cipher.AES/GCM/NoPadding encryption
from: SunJCE<br>
Provider: Cipher.AES/GCM/NoPadding decryption
from: SunJCE<br>
Provider: KeyGenerator.SunTls12KeyMaterial from:
SunJCE<br>
Provider: Cipher.AES/GCM/NoPadding decryption
from: SunJCE<br>
Provider: Cipher.AES/GCM/NoPadding decryption
from: SunJCE<br>
Provider: KeyGenerator.SunTls12Prf from: SunJCE<br>
Provider: KeyGenerator.SunTls12Prf from: SunJCE<br>
Provider: Cipher.AES/GCM/NoPadding encryption
from: SunJCE<br>
Provider: Cipher.AES/GCM/NoPadding encryption
from: SunJCE<br>
Provider: Cipher.AES/GCM/NoPadding decryption
from: SunJCE<br>
Provider: Cipher.AES/GCM/NoPadding decryption
from: SunJCE<br>
Provider: Cipher.AES/GCM/NoPadding decryption
from: SunJCE<br>
Provider: Cipher.AES/GCM/NoPadding encryption
from: SunJCE<br>
:<br>
<br>
<br>
Thanks.<br>
<br>
Bug: <a moz-do-not-send="true"
href="https://bugs.openjdk.java.net/browse/JDK-8056026">https://bugs.openjdk.java.net/browse/JDK-8056026</a><br>
Webrev: <a moz-do-not-send="true"
href="http://cr.openjdk.java.net/%7Evinnie/8056026/webrev.00/">http://cr.openjdk.java.net/~vinnie/8056026/webrev.00/</a><br>
</blockquote>
</blockquote>
<br>
</blockquote>
</blockquote>
<br>
</blockquote>
</blockquote>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>