Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8312383: Log X509ExtendedKeyManager implementation class name in TLS/SSL connection #17742

Closed
wants to merge 6 commits into from

Conversation

pkumaraswamy
Copy link
Contributor

@pkumaraswamy pkumaraswamy commented Feb 7, 2024

During the time of server certificate validation, users have the flexibility to use a custom X509 Key Manager implementation by extending "X509ExtendedKeyManager.".
In such cases, printing the class name in X509Authentication.java will be helpful to trace any failure of the SSL connection due to a certificate issue.

I've tested the code by running the custom X509 manager, the default X509 manager, and passing the null key manager.
The screen shots are attached here.
x509_log_testing.zip

Also, the internal test runs against this fix are green


Progress

  • Change must be properly reviewed (1 review required, with at least 1 Reviewer)
  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue

Issue

  • JDK-8312383: Log X509ExtendedKeyManager implementation class name in TLS/SSL connection (Enhancement - P4)

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/17742/head:pull/17742
$ git checkout pull/17742

Update a local copy of the PR:
$ git checkout pull/17742
$ git pull https://git.openjdk.org/jdk.git pull/17742/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 17742

View PR using the GUI difftool:
$ git pr show -t 17742

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/17742.diff

Webrev

Link to Webrev Comment

@bridgekeeper
Copy link

bridgekeeper bot commented Feb 7, 2024

👋 Welcome back pkumaraswamy! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk
Copy link

openjdk bot commented Feb 7, 2024

@pkumaraswamy The following label will be automatically applied to this pull request:

  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added security security-dev@openjdk.org rfr Pull request is ready for review labels Feb 7, 2024
@mlbridge
Copy link

mlbridge bot commented Feb 7, 2024

Webrevs

@@ -201,6 +201,10 @@ public static SSLPossession createPossession(
private static SSLPossession createClientPossession(
ClientHandshakeContext chc, String[] keyTypes) {
X509ExtendedKeyManager km = chc.sslContext.getX509KeyManager();
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.finest("X509ExtendedKeyManager being used: " +
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could the JBS title be made more descriptive ? It's quite vague.

I wonder if "X509KeyManager class: " would be better for displaying.

createServerPossession would also benefit from this logging enhancement. I wonder if this belongs in logging during SSLContext creation time instead. Other security-dev engineers may have opinion on that.

IIRC, there's another issue open where we iterate over the certificate contexts of custom tm/km types. The JDK src does it at the moment for the default tm/km but no output given for custom impl. Will be good to have that tied up at some stage also.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have changed the title to reflect the specific change made here.
I'll make changes in createServerPossession as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have made changes and attached the testing snapshots in a zip file attached in bug description

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have made changes to log statement

@@ -201,6 +201,10 @@ public static SSLPossession createPossession(
private static SSLPossession createClientPossession(
ClientHandshakeContext chc, String[] keyTypes) {
X509ExtendedKeyManager km = chc.sslContext.getX509KeyManager();
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.finest("X509ExtendedKeyManager being used: " +
(km == null ? "null" : km.getClass().getName()));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you need to cater for null ? I thought a Dummy manager is returned in such scenarios.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, I did verify that it always returns Dummy Manager even when key manager is initialized as null. I have added this as a safety net. I'll remove this.

@pkumaraswamy pkumaraswamy changed the title 8312383: Improve SSL debug log 8312383: Log X509ExtendedKeyManager implementation class name in TLS/SSL connection Feb 7, 2024
@bridgekeeper
Copy link

bridgekeeper bot commented Mar 7, 2024

@pkumaraswamy This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

@pkumaraswamy
Copy link
Contributor Author

Adding comment to avoid auto closure of PR

@pkumaraswamy
Copy link
Contributor Author

pkumaraswamy commented Mar 8, 2024

I have tested the latest changes and attached is the snapshot
x509kmprintlogs_v3.zip

Copy link
Contributor

@coffeys coffeys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@openjdk
Copy link

openjdk bot commented Mar 8, 2024

@pkumaraswamy This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8312383: Log X509ExtendedKeyManager implementation class name in TLS/SSL connection

Reviewed-by: coffeys

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been no new commits pushed to the master branch. If another commit should be pushed before you perform the /integrate command, your PR will be automatically rebased. If you prefer to avoid any potential automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@coffeys) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

@openjdk openjdk bot added the ready Pull request is ready to be integrated label Mar 8, 2024
@pkumaraswamy
Copy link
Contributor Author

/integrate

@openjdk openjdk bot added the sponsor Pull request is ready to be sponsored label Mar 8, 2024
@openjdk
Copy link

openjdk bot commented Mar 8, 2024

@pkumaraswamy
Your change (at version bb0a54e) is now ready to be sponsored by a Committer.

@coffeys
Copy link
Contributor

coffeys commented Mar 8, 2024

/sponsor

@openjdk
Copy link

openjdk bot commented Mar 8, 2024

Going to push as commit bdd1aeb.
Since your change was applied there has been 1 commit pushed to the master branch:

  • fb4610e: 8327444: simplify RESTARTABLE macro usage in JDK codebase

Your commit was automatically rebased without conflicts.

@openjdk openjdk bot added the integrated Pull request has been integrated label Mar 8, 2024
@openjdk openjdk bot closed this Mar 8, 2024
@openjdk openjdk bot removed ready Pull request is ready to be integrated rfr Pull request is ready for review sponsor Pull request is ready to be sponsored labels Mar 8, 2024
@openjdk
Copy link

openjdk bot commented Mar 8, 2024

@coffeys @pkumaraswamy Pushed as commit bdd1aeb.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
integrated Pull request has been integrated security security-dev@openjdk.org
Development

Successfully merging this pull request may close these issues.

2 participants