-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8292033: Move jdk.X509Certificate event logic to JCA layer #10422
Conversation
👋 Welcome back coffeys! A progress list of the required criteria for merging this PR into |
/label remove core-libs |
@AlanBateman |
@@ -31,6 +31,15 @@ | |||
*/ | |||
|
|||
public final class X509CertificateEvent extends Event { | |||
private final static X509CertificateEvent EVENT = new X509CertificateEvent(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use blessed modifiers order
private final static X509CertificateEvent EVENT = new X509CertificateEvent(); | |
private static final X509CertificateEvent EVENT = new X509CertificateEvent(); |
"CN=SSLCertificate, O=SomeCompany", | ||
"CN=Intermediate CA Cert, O=SomeCompany", | ||
"CN=SSLCertificate,O=SomeCompany", | ||
"CN=Intermediate CA Cert,O=SomeCompany", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why remove the spaces? X500Name::toString
always has them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code was modified to use the X509Certificate API (rather than X509CertImpl)
it's using the X500Principal#getName() call now. Would it be better to use X500Principal#toString() ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you are only writing there and not parsing the string, then I assume either is OK. Still, less change is better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fair point. I updated patch to use X500Principal#toString()
I think this will miss cases where the certificates are part of a chain, and the application (or JDK code) is calling I think this is fixable though. In these methods, you can iterate over the certificates that are in the |
Actually, I think the previous code missed these cases as well. But I think it is important to try to fix this. If not as part of this issue, then a separate issue. It is just for the cases where the above methods take an |
Thanks for the feedback Sean. Yes - this event should also cater for the internal Some look a bit suspicious perhaps ? I see OCSP/CertPath type calls to I'll study further and see if we can maximize the number of X509Certificate JFR events that are captured. |
If this event is mainly for public access through the |
Yes, that code should ideally go through There's some old code in |
on further reading, it turns out that code like Recording cert events from I've beefed up the test logic to cover the various CertificateFactory methods that raised concern. I also included a CertAndGen example to cover what keytool might do in such scenarios. @seanjmullan - I'll log a new bug to cover the |
@@ -285,6 +286,7 @@ private DerValue readRFC1421Cert(InputStream in) throws IOException { | |||
*/ | |||
public X509CertImpl(X509CertInfo certInfo) { | |||
this.info = certInfo; | |||
JCAUtil.tryCommitCertEvent(this); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need to record this as an event? This is an incomplete (unsigned) certificate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good point. this constructor is mainly used by keytool. Would it make sense if I committed the event after the cert details are signed ?
Do you think it is that useful to have keytool record events? Ok, I guess some apps could be execing keytool, but that would be in a separate process, and probably wouldn't have JFR enabled. Also, these certs, if used for authentication usages will eventually come back into the runtime through CertificateFactory. |
I figured it would be useful. keytool is an important generator of X509 certs. Why not give the opportunity to record them if JFR is enabled etc ? -J-XX:StartFlightRecording passed to keytool is sufficient to capture a recording. The certs could be deployed out to any software stack I guess. Java being one possibility. I see your point about recording of constructor with X509CertInfo now. The keytool eventually re-loads the newly generated cert. I'll look at editing. (duplicate record)
|
I think the threat level is a bit different than certificates that are actually parsed and potentially being used by applications to authenticate servers, etc, so I would be wary of treating these events with equivalence. These certificates may never be used by applications, and if they are, then there will be an event for that. Also with keytool, you have direct control over what algorithms, key sizes, validity, etc are being used, whereas in an app case, you don't really know until you parse the certificate and see what it contains. |
I'd agree with your thoughts. While it may not be a threat level, it's still a useful information point, especially in environments where hard coded values might get embedded in some type of key generation tool. Not many might be interested but there's a option there now with JFR to view this data at least. I don't think many will configure keytool to run with JFR. Happy to revert the keytool change but I don't see it being too invasive in code changes. |
My vote would be to leave it out. |
@coffeys this pull request can not be integrated into git checkout 8292033-x509Event
git fetch https://git.openjdk.org/jdk master
git merge FETCH_HEAD
# resolve conflicts and follow the instructions given by git merge
git commit -m "Merge master"
git push |
I'm fine with that suggestion Sean. I've removed the event form the CertAndGen class. Turns out that the keytool will load the new cert via the standard Tests modified also to capture this. [1]
|
@coffeys This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 5 new commits pushed to the
Please see this link for an up-to-date comparison between the source branch of this pull request and the ➡️ To integrate this PR with the above commit message to the |
/integrate |
Going to push as commit 102b2b3.
Your commit was automatically rebased without conflicts. |
By moving the JFR event up to the java.security.cert.CertificateFactory class, we can record all generate cert events, including those from 3rd party providers. I've also altered the logic so that an event is genertate for every generate cert call (not just ones missing from the JDK provider implementation cache)
test case also updated to capture new logic
Progress
Issue
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk pull/10422/head:pull/10422
$ git checkout pull/10422
Update a local copy of the PR:
$ git checkout pull/10422
$ git pull https://git.openjdk.org/jdk pull/10422/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 10422
View PR using the GUI difftool:
$ git pr show -t 10422
Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/10422.diff