Mercurial > hg > openjdk > aarch64-port > jdk
changeset 10702:f54a505bb7d0
8054037: Improve tracing for java.security.debug=certpath
8055207: keystore and truststore debug output could be much better
Reviewed-by: mullan, coffeys, jnimeh
line wrap: on
line diff
--- a/src/share/classes/java/security/cert/X509CertSelector.java Fri Mar 20 17:07:15 2015 +0000 +++ b/src/share/classes/java/security/cert/X509CertSelector.java Fri Mar 20 17:55:06 2015 +0000 @@ -2574,8 +2574,10 @@ } else { if (maxPathLen < basicConstraints) { if (debug != null) { - debug.println("X509CertSelector.match: maxPathLen too small (" - + maxPathLen + " < " + basicConstraints + ")"); + debug.println("X509CertSelector.match: cert's maxPathLen " + + "is less than the min maxPathLen set by " + + "basicConstraints. " + + "(" + maxPathLen + " < " + basicConstraints + ")"); } return false; }
--- a/src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java Fri Mar 20 17:07:15 2015 +0000 +++ b/src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java Fri Mar 20 17:55:06 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -224,7 +224,8 @@ if (extVal == null) { if (debug != null) { debug.println("AdaptableX509CertSelector.match: " - + "no subject key ID extension"); + + "no subject key ID extension. Subject: " + + xcert.getSubjectX500Principal()); } return true; } @@ -234,7 +235,9 @@ !Arrays.equals(ski, certSubjectKeyID)) { if (debug != null) { debug.println("AdaptableX509CertSelector.match: " - + "subject key IDs don't match"); + + "subject key IDs don't match. " + + "Expected: " + Arrays.toString(ski) + " " + + "Cert's: " + Arrays.toString(certSubjectKeyID)); } return false; }
--- a/src/share/classes/sun/security/provider/certpath/Builder.java Fri Mar 20 17:07:15 2015 +0000 +++ b/src/share/classes/sun/security/provider/certpath/Builder.java Fri Mar 20 17:55:06 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -435,7 +435,12 @@ if (selector.match(targetCert) && !X509CertImpl.isSelfSigned (targetCert, buildParams.sigProvider())) { if (debug != null) { - debug.println("Builder.addMatchingCerts: adding target cert"); + debug.println("Builder.addMatchingCerts: " + + "adding target cert" + + "\n SN: " + Debug.toHexString( + targetCert.getSerialNumber()) + + "\n Subject: " + targetCert.getSubjectX500Principal() + + "\n Issuer: " + targetCert.getIssuerX500Principal()); } return resultCerts.add(targetCert); }
--- a/src/share/classes/sun/security/provider/certpath/ConstraintsChecker.java Fri Mar 20 17:07:15 2015 +0000 +++ b/src/share/classes/sun/security/provider/certpath/ConstraintsChecker.java Fri Mar 20 17:55:06 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -145,8 +145,8 @@ if (prevNC != null && ((i == certPathLength) || !X509CertImpl.isSelfIssued(currCert))) { if (debug != null) { - debug.println("prevNC = " + prevNC); - debug.println("currDN = " + currCert.getSubjectX500Principal()); + debug.println("prevNC = " + prevNC + + ", currDN = " + currCert.getSubjectX500Principal()); } try { @@ -184,8 +184,8 @@ currCertImpl.getNameConstraintsExtension(); if (debug != null) { - debug.println("prevNC = " + prevNC); - debug.println("newNC = " + String.valueOf(newConstraints)); + debug.println("prevNC = " + prevNC + + ", newNC = " + String.valueOf(newConstraints)); } // if there are no previous name constraints, we just return the @@ -225,8 +225,8 @@ String msg = "basic constraints"; if (debug != null) { debug.println("---checking " + msg + "..."); - debug.println("i = " + i); - debug.println("maxPathLength = " + maxPathLength); + debug.println("i = " + i + + ", maxPathLength = " + maxPathLength); } /* check if intermediate cert */
--- a/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Fri Mar 20 17:07:15 2015 +0000 +++ b/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Fri Mar 20 17:55:06 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -320,6 +320,14 @@ Set<TrustAnchor> trustAnchors, List<CertStore> certStores, Date validity) throws CRLException, IOException { + if (debug != null) { + debug.println("DistributionPointFetcher.verifyCRL: " + + "checking revocation status for" + + "\n SN: " + Debug.toHexString(certImpl.getSerialNumber()) + + "\n Subject: " + certImpl.getSubjectX500Principal() + + "\n Issuer: " + certImpl.getIssuerX500Principal()); + } + boolean indirectCRL = false; X509CRLImpl crlImpl = X509CRLImpl.toImpl(crl); IssuingDistributionPointExtension idpExt = @@ -363,7 +371,9 @@ } } else if (crlIssuer.equals(certIssuer) == false) { if (debug != null) { - debug.println("crl issuer does not equal cert issuer"); + debug.println("crl issuer does not equal cert issuer.\n" + + "crl issuer: " + crlIssuer + "\n" + + "cert issuer: " + certIssuer); } return false; } else {
--- a/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java Fri Mar 20 17:07:15 2015 +0000 +++ b/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java Fri Mar 20 17:55:06 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -209,7 +209,8 @@ * getMatchingEECerts */ if (debug != null) { - debug.println("ForwardBuilder.getMatchingCACerts(): ca is target"); + debug.println("ForwardBuilder.getMatchingCACerts(): " + + "the target is a CA"); } if (caTargetSelector == null) { @@ -291,8 +292,14 @@ for (X509Certificate trustedCert : trustedCerts) { if (sel.match(trustedCert)) { if (debug != null) { - debug.println("ForwardBuilder.getMatchingCACerts: " - + "found matching trust anchor"); + debug.println("ForwardBuilder.getMatchingCACerts: " + + "found matching trust anchor." + + "\n SN: " + + Debug.toHexString(trustedCert.getSerialNumber()) + + "\n Subject: " + + trustedCert.getSubjectX500Principal() + + "\n Issuer: " + + trustedCert.getIssuerX500Principal()); } if (caCerts.add(trustedCert) && !searchAllCertStores) { return;
--- a/src/share/classes/sun/security/provider/certpath/PKIXMasterCertPathValidator.java Fri Mar 20 17:07:15 2015 +0000 +++ b/src/share/classes/sun/security/provider/certpath/PKIXMasterCertPathValidator.java Fri Mar 20 17:55:06 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -30,6 +30,7 @@ import java.util.Collections; import java.util.List; import java.util.Set; +import java.util.StringJoiner; import java.security.cert.CertPath; import java.security.cert.CertPathValidatorException; import java.security.cert.PKIXCertPathChecker; @@ -88,20 +89,25 @@ * current certificate of this loop to be the previous certificate * of the next loop. The state is initialized during first loop. */ - if (debug != null) - debug.println("Checking cert" + (i+1) + " ..."); + X509Certificate currCert = reversedCertList.get(i); - X509Certificate currCert = reversedCertList.get(i); + if (debug != null) { + debug.println("Checking cert" + (i+1) + " - Subject: " + + currCert.getSubjectX500Principal()); + } + Set<String> unresCritExts = currCert.getCriticalExtensionOIDs(); if (unresCritExts == null) { unresCritExts = Collections.<String>emptySet(); } if (debug != null && !unresCritExts.isEmpty()) { - debug.println("Set of critical extensions:"); + StringJoiner joiner = new StringJoiner(", ", "{", "}"); for (String oid : unresCritExts) { - debug.println(oid); + joiner.add(oid); } + debug.println("Set of critical extensions: " + + joiner.toString()); } for (int j = 0; j < certPathCheckers.size(); j++) {
--- a/src/share/classes/sun/security/provider/certpath/RevocationChecker.java Fri Mar 20 17:07:15 2015 +0000 +++ b/src/share/classes/sun/security/provider/certpath/RevocationChecker.java Fri Mar 20 17:55:06 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -343,11 +343,17 @@ PublicKey pubKey, boolean crlSignFlag) throws CertPathValidatorException { + if (debug != null) { + debug.println("RevocationChecker.check: checking cert" + + "\n SN: " + Debug.toHexString(xcert.getSerialNumber()) + + "\n Subject: " + xcert.getSubjectX500Principal() + + "\n Issuer: " + xcert.getIssuerX500Principal()); + } try { if (onlyEE && xcert.getBasicConstraints() != -1) { if (debug != null) { - debug.println("Skipping revocation check, not end " + - "entity cert"); + debug.println("Skipping revocation check; cert is not " + + "an end entity cert"); } return; }
--- a/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java Fri Mar 20 17:07:15 2015 +0000 +++ b/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java Fri Mar 20 17:55:06 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -136,7 +136,8 @@ PKIXCertPathBuilderResult result = buildCertPath(false, adjList); if (result == null) { if (debug != null) { - debug.println("SunCertPathBuilder.engineBuild: 2nd pass"); + debug.println("SunCertPathBuilder.engineBuild: 2nd pass; " + + "try building again searching all certstores"); } // try again adjList.clear();
--- a/src/share/classes/sun/security/ssl/ClientHandshaker.java Fri Mar 20 17:07:15 2015 +0000 +++ b/src/share/classes/sun/security/ssl/ClientHandshaker.java Fri Mar 20 17:55:06 2015 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -818,6 +818,11 @@ } else { warningSE(Alerts.alert_no_certificate); } + if (debug != null && Debug.isOn("handshake")) { + System.out.println( + "Warning: no suitable certificate found - " + + "continuing without client authentication"); + } } //
--- a/src/share/classes/sun/security/ssl/HandshakeMessage.java Fri Mar 20 17:07:15 2015 +0000 +++ b/src/share/classes/sun/security/ssl/HandshakeMessage.java Fri Mar 20 17:55:06 2015 +0000 @@ -492,11 +492,14 @@ void print(PrintStream s) throws IOException { s.println("*** Certificate chain"); - if (debug != null && Debug.isOn("verbose")) { - for (int i = 0; i < chain.length; i++) + if (chain.length == 0) { + s.println("<Empty>"); + } else if (debug != null && Debug.isOn("verbose")) { + for (int i = 0; i < chain.length; i++) { s.println("chain [" + i + "] = " + chain[i]); - s.println("***"); + } } + s.println("***"); } X509Certificate[] getCertificateChain() {