I’ve renamed that boolean flag and inverted its logic: - private static final boolean doDebug = !(Debug.isOn("engine=") && !Debug.isOn(“XXX")); + private static final boolean skipDebug = Debug.isOn("engine=") && !Debug.isOn(“XXX”);
Updated webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.02/ Docs bug: https://bugs.openjdk.java.net/browse/JDK-8058624 On 16 Sep 2014, at 22:07, Sean Mullan <sean.mul...@oracle.com> wrote: > On 09/16/2014 11:27 AM, Vincent Ryan wrote: >> Here's an updated webrev that supports including/excluding specific >> JCA engines: >> >> Webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.01/ > > Looks good, although the doDebug boolean is making my head spin, is there an > easier way to specify that? > > Also, can you open a corresponding docs bug to update the troubleshooting > guide: > http://docs.oracle.com/javase/8/docs/technotes/guides/security/troubleshooting-security.html > > --Sean > >> >> >> For example, use the following to trace only MessageDigest and >> Signature engines: >> >> -Djava.security.debug=provider:engine=MessageDigest,Signature >> >> and use the following to trace all supported engines: >> >> -Djava.security.debug=provider >> or >> -Djava.security.debug=all >> >> >> >> On 15/09/2014 16:57, Vincent Ryan wrote: >>> >>> On 15 Sep 2014, at 16:50, Sean Mullan <sean.mul...@oracle.com> wrote: >>> >>>> On 09/15/2014 11:34 AM, Vincent Ryan wrote: >>>>> Originally I did support tracing for MessageDigest but removed it >>>>> because of the huge quantity of log messages that were generated. >>>>> Hashes are very widely used before an application even starts. >>>>> SecureRandom is similar. >>>> >>>> Hmm, it would be nice to specify the engine classes you want to see. >>>> Maybe that's too much work right now, but something like: >>>> >>>> java -Djava.security.debug="provider engine=MessageDigest,Signature" … >>> >>> We can log the JCE provider for all engine classes by default and also >>> support a filtering mechanism using the ‘engine' sub-option as you >>> suggest above. >>> >>> >>>> >>>>> Also I omitted KeyStore log messages because there is usually only a >>>>> single implementation for a given keystore type so the >>>>> JCE provider which has been selected is obvious. I’ll add support >>>>> for KeyStore. >>>> >>>> Ok. I think it would be primarily useful to see the KeyStore when >>>> PKCS11 is used with unextractable keys to help debug any subsequent >>>> delayed provider selection. >>>> >>>> --Sean >>>> >>>>> >>>>> >>>>> On 15 Sep 2014, at 16:12, Sean Mullan <sean.mul...@oracle.com> wrote: >>>>> >>>>>> Can you also add similar log messages for MessageDigest, >>>>>> SecureRandom, and KeyStore? >>>>>> >>>>>> Otherwise looks good. Please add a noreg label. Also the fix is >>>>>> helpful to any platform and not just solaris/sparc so you should >>>>>> change those fields to be generic. >>>>>> >>>>>> --Sean >>>>>> >>>>>> On 09/12/2014 11:11 AM, Vincent Ryan wrote: >>>>>>> >>>>>>> Please review this change to display the JCE provider that has been >>>>>>> selected for common crypto operations. >>>>>>> This aids troubleshooting crypto applications when a given crypto >>>>>>> algorithm is supported by several JCE providers. >>>>>>> Some crypto operations delay selecting a provider until they >>>>>>> examine the >>>>>>> key supplied in the init() method. >>>>>>> This fix also accommodates that behaviour. >>>>>>> >>>>>>> The following crypto operations are supported: Cipher, KeyAgreement, >>>>>>> KeyGenerator, KeyPairGenerator, Mac and Signature. >>>>>>> To see these new messages, activate JCE provider debugging as normal. >>>>>>> For example, >>>>>>> >>>>>>> % java -Djava.security.debug=provider MySSLClientApp >>>>>>> : >>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign >>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign >>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign >>>>>>> Provider: Signature.SHA1withDSA verification from: SunPKCS11-Solaris >>>>>>> Provider: Signature.SHA1withDSA verification from: SunPKCS11-Solaris >>>>>>> Provider: Signature.MD5withRSA verification from: SunPKCS11-Solaris >>>>>>> Provider: Signature.MD5withRSA verification from: SunPKCS11-Solaris >>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign >>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign >>>>>>> Provider: KeyPairGenerator.EC from: SunPKCS11-Solaris >>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign >>>>>>> Provider: Signature.SHA256withRSA verification from: SunRsaSign >>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE >>>>>>> Provider: KeyGenerator.SunTls12RsaPremasterSecret from: SunJCE >>>>>>> Provider: Cipher.RSA/ECB/PKCS1Padding key wrapping from: >>>>>>> SunPKCS11-Solaris >>>>>>> Provider: KeyGenerator.SunTls12MasterSecret from: SunJCE >>>>>>> Provider: KeyGenerator.SunTls12KeyMaterial from: SunJCE >>>>>>> Provider: Signature.SHA512withRSA signing from: SunPKCS11-Solaris >>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE >>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE >>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE >>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE >>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE >>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE >>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE >>>>>>> Provider: KeyGenerator.SunTls12KeyMaterial from: SunJCE >>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE >>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE >>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE >>>>>>> Provider: KeyGenerator.SunTls12Prf from: SunJCE >>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE >>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE >>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE >>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE >>>>>>> Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE >>>>>>> Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE >>>>>>> : >>>>>>> >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8056026 >>>>>>> Webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.00/ >>>>> >>>