-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8312383: Log X509ExtendedKeyManager implementation class name in TLS/SSL connection #17742
Conversation
👋 Welcome back pkumaraswamy! A progress list of the required criteria for merging this PR into |
@pkumaraswamy The following label will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command. |
Webrevs
|
@@ -201,6 +201,10 @@ public static SSLPossession createPossession( | |||
private static SSLPossession createClientPossession( | |||
ClientHandshakeContext chc, String[] keyTypes) { | |||
X509ExtendedKeyManager km = chc.sslContext.getX509KeyManager(); | |||
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { | |||
SSLLogger.finest("X509ExtendedKeyManager being used: " + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could the JBS title be made more descriptive ? It's quite vague.
I wonder if "X509KeyManager class: " would be better for displaying.
createServerPossession
would also benefit from this logging enhancement. I wonder if this belongs in logging during SSLContext creation time instead. Other security-dev engineers may have opinion on that.
IIRC, there's another issue open where we iterate over the certificate contexts of custom tm/km types. The JDK src does it at the moment for the default tm/km but no output given for custom impl. Will be good to have that tied up at some stage also.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have changed the title to reflect the specific change made here.
I'll make changes in createServerPossession as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have made changes and attached the testing snapshots in a zip file attached in bug description
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have made changes to log statement
@@ -201,6 +201,10 @@ public static SSLPossession createPossession( | |||
private static SSLPossession createClientPossession( | |||
ClientHandshakeContext chc, String[] keyTypes) { | |||
X509ExtendedKeyManager km = chc.sslContext.getX509KeyManager(); | |||
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { | |||
SSLLogger.finest("X509ExtendedKeyManager being used: " + | |||
(km == null ? "null" : km.getClass().getName())); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do you need to cater for null ? I thought a Dummy manager is returned in such scenarios.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, I did verify that it always returns Dummy Manager even when key manager is initialized as null. I have added this as a safety net. I'll remove this.
@pkumaraswamy This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration! |
Adding comment to avoid auto closure of PR |
I have tested the latest changes and attached is the snapshot |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good.
@pkumaraswamy This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been no new commits pushed to the As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@coffeys) but any other Committer may sponsor as well. ➡️ To flag this PR as ready for integration with the above commit message, type |
/integrate |
@pkumaraswamy |
/sponsor |
@coffeys @pkumaraswamy Pushed as commit bdd1aeb. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
During the time of server certificate validation, users have the flexibility to use a custom X509 Key Manager implementation by extending "X509ExtendedKeyManager.".
In such cases, printing the class name in X509Authentication.java will be helpful to trace any failure of the SSL connection due to a certificate issue.
I've tested the code by running the custom X509 manager, the default X509 manager, and passing the null key manager.
The screen shots are attached here.
x509_log_testing.zip
Also, the internal test runs against this fix are green
Progress
Issue
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/17742/head:pull/17742
$ git checkout pull/17742
Update a local copy of the PR:
$ git checkout pull/17742
$ git pull https://git.openjdk.org/jdk.git pull/17742/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 17742
View PR using the GUI difftool:
$ git pr show -t 17742
Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/17742.diff
Webrev
Link to Webrev Comment