8327818: Implement Kerberos debug with sun.security.util.Debug

Reviewed-by: coffeys, ssahoo

Author: wangweij

src/java.base/share/classes/sun/security/util/Debug.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -159,6 +159,33 @@ public static Debug getInstance(String option, String prefix)
         }
     }
 
+    /**
+     * Get a Debug object corresponding to the given option on the given
+     * property value.
+     * <p>
+     * Note: unlike other {@code getInstance} methods, this method does not
+     * use the {@code java.security.debug} system property.
+     * <p>
+     * Usually, this method is used by other individual area-specific debug
+     * settings. For example,
+     * {@snippet lang=java:
+     * Map<String, String> settings = loadLoginSettings();
+     * String property = settings.get("login");
+     * Debug debug = Debug.of("login", property);
+     * }
+     * @param option the debug option name
+     * @param property debug setting for this option
+     * @return a new Debug object if the property is true
+     */
+    public static Debug of(String option, String property) {
+        if ("true".equalsIgnoreCase(property)) {
+            Debug d = new Debug();
+            d.prefix = option;
+            return d;
+        }
+        return null;
+    }
+
     /**
      * True if the system property "security.debug" contains the
      * string "option".

src/java.security.jgss/macosx/native/libosxkrb5/nativeccache.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -81,7 +81,7 @@ static jclass FindClass(JNIEnv *env, char *className)
     jclass cls = (*env)->FindClass(env, className);
 
     if (cls == NULL) {
-        printf("Couldn't find %s\n", className);
+        fprintf(stderr, "Couldn't find %s\n", className);
         return NULL;
     }
 
@@ -129,49 +129,49 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *jvm, void *reserved)
 
     ticketConstructor = (*env)->GetMethodID(env, ticketClass, "<init>", "([B)V");
     if (ticketConstructor == 0) {
-        printf("Couldn't find Ticket constructor\n");
+        fprintf(stderr, "Couldn't find Ticket constructor\n");
         return JNI_ERR;
     }
 
     principalNameConstructor = (*env)->GetMethodID(env, principalNameClass, "<init>", "(Ljava/lang/String;I)V");
     if (principalNameConstructor == 0) {
-        printf("Couldn't find PrincipalName constructor\n");
+        fprintf(stderr, "Couldn't find PrincipalName constructor\n");
         return JNI_ERR;
     }
 
     encryptionKeyConstructor = (*env)->GetMethodID(env, encryptionKeyClass, "<init>", "(I[B)V");
     if (encryptionKeyConstructor == 0) {
-        printf("Couldn't find EncryptionKey constructor\n");
+        fprintf(stderr, "Couldn't find EncryptionKey constructor\n");
         return JNI_ERR;
     }
 
     ticketFlagsConstructor = (*env)->GetMethodID(env, ticketFlagsClass, "<init>", "(I[B)V");
     if (ticketFlagsConstructor == 0) {
-        printf("Couldn't find TicketFlags constructor\n");
+        fprintf(stderr, "Couldn't find TicketFlags constructor\n");
         return JNI_ERR;
     }
 
     kerberosTimeConstructor = (*env)->GetMethodID(env, kerberosTimeClass, "<init>", "(J)V");
     if (kerberosTimeConstructor == 0) {
-        printf("Couldn't find KerberosTime constructor\n");
+        fprintf(stderr, "Couldn't find KerberosTime constructor\n");
         return JNI_ERR;
     }
 
     integerConstructor = (*env)->GetMethodID(env, javaLangIntegerClass, "<init>", "(I)V");
     if (integerConstructor == 0) {
-        printf("Couldn't find Integer constructor\n");
+        fprintf(stderr, "Couldn't find Integer constructor\n");
         return JNI_ERR;
     }
 
     hostAddressConstructor = (*env)->GetMethodID(env, hostAddressClass, "<init>", "(I[B)V");
     if (hostAddressConstructor == 0) {
-        printf("Couldn't find HostAddress constructor\n");
+        fprintf(stderr, "Couldn't find HostAddress constructor\n");
         return JNI_ERR;
     }
 
     hostAddressesConstructor = (*env)->GetMethodID(env, hostAddressesClass, "<init>", "([Lsun/security/krb5/internal/HostAddress;)V");
     if (hostAddressesConstructor == 0) {
-        printf("Couldn't find HostAddresses constructor\n");
+        fprintf(stderr, "Couldn't find HostAddresses constructor\n");
         return JNI_ERR;
     }
 
@@ -376,7 +376,7 @@ JNIEXPORT jobject JNICALL Java_sun_security_krb5_Credentials_acquireDefaultNativ
                         krbcredsConstructor = (*env)->GetMethodID(env, krbcredsClass, "<init>",
                                                                   "(Lsun/security/krb5/internal/Ticket;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/PrincipalName;Lsun/security/krb5/EncryptionKey;Lsun/security/krb5/internal/TicketFlags;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/KerberosTime;Lsun/security/krb5/internal/HostAddresses;)V");
                         if (krbcredsConstructor == 0) {
-                            printf("Couldn't find sun.security.krb5.internal.Ticket constructor\n");
+                            fprintf(stderr, "Couldn't find sun.security.krb5.internal.Ticket constructor\n");
                             break;
                         }
                     }

src/java.security.jgss/share/classes/javax/security/auth/kerberos/ServicePermission.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -447,43 +447,6 @@ private void readObject(java.io.ObjectInputStream s)
         s.defaultReadObject();
         init(getName(),getMask(actions));
     }
-
-
-    /*
-      public static void main(String[] args) throws Exception {
-      ServicePermission this_ =
-      new ServicePermission(args[0], "accept");
-      ServicePermission that_ =
-      new ServicePermission(args[1], "accept,initiate");
-      System.out.println("-----\n");
-      System.out.println("this.implies(that) = " + this_.implies(that_));
-      System.out.println("-----\n");
-      System.out.println("this = "+this_);
-      System.out.println("-----\n");
-      System.out.println("that = "+that_);
-      System.out.println("-----\n");
-
-      KrbServicePermissionCollection nps =
-      new KrbServicePermissionCollection();
-      nps.add(this_);
-      nps.add(new ServicePermission("nfs/example.com@EXAMPLE.COM",
-      "accept"));
-      nps.add(new ServicePermission("host/example.com@EXAMPLE.COM",
-      "initiate"));
-      System.out.println("nps.implies(that) = " + nps.implies(that_));
-      System.out.println("-----\n");
-
-      Enumeration e = nps.elements();
-
-      while (e.hasMoreElements()) {
-      ServicePermission x =
-      (ServicePermission) e.nextElement();
-      System.out.println("nps.e = " + x);
-      }
-
-      }
-    */
-
 }
 
 

src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -35,7 +35,6 @@
 
 import sun.net.www.protocol.http.HttpCallerInfo;
 import sun.net.www.protocol.http.Negotiator;
-import sun.security.action.GetBooleanAction;
 import sun.security.action.GetPropertyAction;
 import sun.security.jgss.GSSManagerImpl;
 import sun.security.jgss.GSSContextImpl;
@@ -45,6 +44,8 @@
 import sun.security.util.ChannelBindingException;
 import sun.security.util.TlsChannelBinding;
 
+import static sun.security.krb5.internal.Krb5.DEBUG;
+
 /**
  * This class encapsulates all JAAS and JGSS API calls in a separate class
  * outside NegotiateAuthentication.java so that J2SE build can go smoothly
@@ -55,9 +56,6 @@
  */
 public class NegotiatorImpl extends Negotiator {
 
-    private static final boolean DEBUG =
-            GetBooleanAction.privilegedGetProperty("sun.security.krb5.debug");
-
     private GSSContext context;
     private byte[] oneToken;
 
@@ -105,8 +103,8 @@ private void init(HttpCallerInfo hci) throws GSSException, ChannelBindingExcepti
             ((GSSContextImpl)context).requestDelegPolicy(true);
         }
         if (hci.serverCert != null) {
-            if (DEBUG) {
-                System.out.println("Negotiate: Setting CBT");
+            if (DEBUG != null) {
+                DEBUG.println("Negotiate: Setting CBT");
             }
             // set the channel binding token
             TlsChannelBinding b = TlsChannelBinding.create(hci.serverCert);
@@ -123,8 +121,8 @@ public NegotiatorImpl(HttpCallerInfo hci) throws IOException {
         try {
             init(hci);
         } catch (GSSException | ChannelBindingException e) {
-            if (DEBUG) {
-                System.out.println("Negotiate support not initiated, will " +
+            if (DEBUG != null) {
+                DEBUG.println("Negotiate support not initiated, will " +
                         "fallback to other scheme if allowed. Reason:");
                 e.printStackTrace();
             }
@@ -160,9 +158,9 @@ public byte[] nextToken(byte[] token) throws IOException {
             }
             return context.initSecContext(token, 0, token.length);
         } catch (GSSException e) {
-            if (DEBUG) {
-                System.out.println("Negotiate support cannot continue. Reason:");
-                e.printStackTrace();
+            if (DEBUG != null) {
+                DEBUG.println("Negotiate support cannot continue. Reason:");
+                e.printStackTrace(DEBUG.getPrintStream());
             }
             throw new IOException("Negotiate support cannot continue", e);
         }
@@ -181,9 +179,9 @@ public void disposeContext() throws IOException {
                 context.dispose();
             }
         } catch (GSSException e) {
-            if (DEBUG) {
-                System.out.println("Cannot release resources. Reason:");
-                e.printStackTrace();
+            if (DEBUG != null) {
+                DEBUG.println("Cannot release resources. Reason:");
+                e.printStackTrace(DEBUG.getPrintStream());
             }
             throw new IOException("Cannot release resources", e);
         };

src/java.security.jgss/share/classes/sun/security/jgss/GSSCredentialImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -90,7 +90,7 @@ protected GSSCredentialImpl(GSSCredentialImpl src) {
             } catch (GSSException e) {
                 if (defaultList) {
                     // Try the next mechanism
-                    if (GSSUtil.DEBUG) {
+                    if (GSSUtil.DEBUG != null) {
                         GSSUtil.debug("Ignore " + e + " while acquiring cred for "
                                 + mechs[i]);
                         // e.printStackTrace();

src/java.security.jgss/share/classes/sun/security/jgss/GSSHeader.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -317,25 +317,4 @@ private int putLength(int len, OutputStream out) throws IOException {
 
         return retVal;
     }
-
-    // XXX Call these two in some central class
-    private void debug(String str) {
-        System.err.print(str);
-    }
-
-    private  String getHexBytes(byte[] bytes, int len)
-        throws IOException {
-
-        StringBuilder sb = new StringBuilder();
-        for (int i = 0; i < len; i++) {
-
-            int b1 = (bytes[i] >> 4) & 0x0f;
-            int b2 = bytes[i] & 0x0f;
-
-            sb.append(Integer.toHexString(b1));
-            sb.append(Integer.toHexString(b2));
-            sb.append(' ');
-        }
-        return sb.toString();
-    }
 }

src/java.security.jgss/share/classes/sun/security/jgss/GSSManagerImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -88,7 +88,7 @@ public Oid[] getMechsForName(Oid nameType){
                 }
             } catch (GSSException e) {
                 // Squelch it and just skip over this mechanism
-                if (GSSUtil.DEBUG) {
+                if (GSSUtil.DEBUG != null) {
                     GSSUtil.debug("Skip " + mech +
                             ": error retrieving supported name types");
                 }