Thanks for tackling this one Vinnie. It'll certainly help better debug
environments
where several providers are available to perform similar crypto operations.
One minor suggestion might be to use a simple boolean to control whether
the engine provider info gets printed.
i.e. change "private static final boolean skipDebug =
Debug.isOn("engine=") && !Debug.isOn(“XXX”);"
to "private static final boolean printProviderEngine =
pdebug != null && Debug.isOn("engine=") && Debug.isOn(“XXX”);
Might read better but minor like I say.
regards,
Sean.
On 17/09/14 11:33, Vincent Ryan wrote:
I’ve renamed that boolean flag and inverted its logic:
- privatestaticfinalbooleandoDebug = !(Debug.isOn("engine=") &&
!Debug.isOn(“XXX"));
+ privatestaticfinalbooleanskipDebug = Debug.isOn("engine=") &&
!Debug.isOn(“XXX”);
Updated webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.02/
<http://cr.openjdk.java.net/%7Evinnie/8056026/webrev.02/>
Docs bug: https://bugs.openjdk.java.net/browse/JDK-8058624
On 16 Sep 2014, at 22:07, Sean Mullan <sean.mul...@oracle.com
<mailto:sean.mul...@oracle.com>> wrote:
On 09/16/2014 11:27 AM, Vincent Ryan wrote:
Here's an updated webrev that supports including/excluding specific
JCA engines:
Webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.01/
<http://cr.openjdk.java.net/%7Evinnie/8056026/webrev.01/>
Looks good, although the doDebug boolean is making my head spin, is
there an easier way to specify that?
Also, can you open a corresponding docs bug to update the
troubleshooting guide:
http://docs.oracle.com/javase/8/docs/technotes/guides/security/troubleshooting-security.html
--Sean
For example, use the following to trace only MessageDigest and
Signature engines:
-Djava.security.debug=provider:engine=MessageDigest,Signature
and use the following to trace all supported engines:
-Djava.security.debug=provider
or
-Djava.security.debug=all
On 15/09/2014 16:57, Vincent Ryan wrote:
On 15 Sep 2014, at 16:50, Sean Mullan <sean.mul...@oracle.com
<mailto:sean.mul...@oracle.com>> wrote:
On 09/15/2014 11:34 AM, Vincent Ryan wrote:
Originally I did support tracing for MessageDigest but removed it
because of the huge quantity of log messages that were generated.
Hashes are very widely used before an application even starts.
SecureRandom is similar.
Hmm, it would be nice to specify the engine classes you want to see.
Maybe that's too much work right now, but something like:
java -Djava.security.debug="provider engine=MessageDigest,Signature" …
We can log the JCE provider for all engine classes by default and also
support a filtering mechanism using the ‘engine' sub-option as you
suggest above.
Also I omitted KeyStore log messages because there is usually only a
single implementation for a given keystore type so the
JCE provider which has been selected is obvious. I’ll add support
for KeyStore.
Ok. I think it would be primarily useful to see the KeyStore when
PKCS11 is used with unextractable keys to help debug any subsequent
delayed provider selection.
--Sean
On 15 Sep 2014, at 16:12, Sean Mullan <sean.mul...@oracle.com
<mailto:sean.mul...@oracle.com>> wrote:
Can you also add similar log messages for MessageDigest,
SecureRandom, and KeyStore?
Otherwise looks good. Please add a noreg label. Also the fix is
helpful to any platform and not just solaris/sparc so you should
change those fields to be generic.
--Sean
On 09/12/2014 11:11 AM, Vincent Ryan wrote:
Please review this change to display the JCE provider that has been
selected for common crypto operations.
This aids troubleshooting crypto applications when a given crypto
algorithm is supported by several JCE providers.
Some crypto operations delay selecting a provider until they
examine the
key supplied in the init() method.
This fix also accommodates that behaviour.
The following crypto operations are supported: Cipher,
KeyAgreement,
KeyGenerator, KeyPairGenerator, Mac and Signature.
To see these new messages, activate JCE provider debugging as
normal.
For example,
% java -Djava.security.debug=provider MySSLClientApp
:
Provider: Signature.SHA256withRSA verification from: SunRsaSign
Provider: Signature.SHA256withRSA verification from: SunRsaSign
Provider: Signature.SHA256withRSA verification from: SunRsaSign
Provider: Signature.SHA1withDSA verification from:
SunPKCS11-Solaris
Provider: Signature.SHA1withDSA verification from:
SunPKCS11-Solaris
Provider: Signature.MD5withRSA verification from: SunPKCS11-Solaris
Provider: Signature.MD5withRSA verification from: SunPKCS11-Solaris
Provider: Signature.SHA256withRSA verification from: SunRsaSign
Provider: Signature.SHA256withRSA verification from: SunRsaSign
Provider: KeyPairGenerator.EC from: SunPKCS11-Solaris
Provider: Signature.SHA256withRSA verification from: SunRsaSign
Provider: Signature.SHA256withRSA verification from: SunRsaSign
Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
Provider: KeyGenerator.SunTls12RsaPremasterSecret from: SunJCE
Provider: Cipher.RSA/ECB/PKCS1Padding key wrapping from:
SunPKCS11-Solaris
Provider: KeyGenerator.SunTls12MasterSecret from: SunJCE
Provider: KeyGenerator.SunTls12KeyMaterial from: SunJCE
Provider: Signature.SHA512withRSA signing from: SunPKCS11-Solaris
Provider: KeyGenerator.SunTls12Prf from: SunJCE
Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
Provider: KeyGenerator.SunTls12Prf from: SunJCE
Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
Provider: KeyGenerator.SunTls12KeyMaterial from: SunJCE
Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
Provider: KeyGenerator.SunTls12Prf from: SunJCE
Provider: KeyGenerator.SunTls12Prf from: SunJCE
Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
Provider: Cipher.AES/GCM/NoPadding decryption from: SunJCE
Provider: Cipher.AES/GCM/NoPadding encryption from: SunJCE
:
Thanks.
Bug: https://bugs.openjdk.java.net/browse/JDK-8056026
Webrev: http://cr.openjdk.java.net/~vinnie/8056026/webrev.00/
<http://cr.openjdk.java.net/%7Evinnie/8056026/webrev.00/>
