8054037: Improve tracing for java.security.debug=certpath
8055207: keystore and truststore debug output could be much better
Reviewed-by: mullan, coffeys, jnimeh
--- a/jdk/src/java.base/share/classes/java/security/cert/X509CertSelector.java Tue Mar 03 08:49:13 2015 -0800
+++ b/jdk/src/java.base/share/classes/java/security/cert/X509CertSelector.java Tue Mar 03 14:16:49 2015 -0800
@@ -2574,8 +2574,10 @@
} else {
if (maxPathLen < basicConstraints) {
if (debug != null) {
- debug.println("X509CertSelector.match: maxPathLen too small ("
- + maxPathLen + " < " + basicConstraints + ")");
+ debug.println("X509CertSelector.match: cert's maxPathLen " +
+ "is less than the min maxPathLen set by " +
+ "basicConstraints. " +
+ "(" + maxPathLen + " < " + basicConstraints + ")");
}
return false;
}
--- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java Tue Mar 03 08:49:13 2015 -0800
+++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java Tue Mar 03 14:16:49 2015 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -224,7 +224,8 @@
if (extVal == null) {
if (debug != null) {
debug.println("AdaptableX509CertSelector.match: "
- + "no subject key ID extension");
+ + "no subject key ID extension. Subject: "
+ + xcert.getSubjectX500Principal());
}
return true;
}
@@ -234,7 +235,9 @@
!Arrays.equals(ski, certSubjectKeyID)) {
if (debug != null) {
debug.println("AdaptableX509CertSelector.match: "
- + "subject key IDs don't match");
+ + "subject key IDs don't match. "
+ + "Expected: " + Arrays.toString(ski) + " "
+ + "Cert's: " + Arrays.toString(certSubjectKeyID));
}
return false;
}
--- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/Builder.java Tue Mar 03 08:49:13 2015 -0800
+++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/Builder.java Tue Mar 03 14:16:49 2015 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -435,7 +435,12 @@
if (selector.match(targetCert) && !X509CertImpl.isSelfSigned
(targetCert, buildParams.sigProvider())) {
if (debug != null) {
- debug.println("Builder.addMatchingCerts: adding target cert");
+ debug.println("Builder.addMatchingCerts: " +
+ "adding target cert" +
+ "\n SN: " + Debug.toHexString(
+ targetCert.getSerialNumber()) +
+ "\n Subject: " + targetCert.getSubjectX500Principal() +
+ "\n Issuer: " + targetCert.getIssuerX500Principal());
}
return resultCerts.add(targetCert);
}
--- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/ConstraintsChecker.java Tue Mar 03 08:49:13 2015 -0800
+++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/ConstraintsChecker.java Tue Mar 03 14:16:49 2015 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -145,8 +145,8 @@
if (prevNC != null && ((i == certPathLength) ||
!X509CertImpl.isSelfIssued(currCert))) {
if (debug != null) {
- debug.println("prevNC = " + prevNC);
- debug.println("currDN = " + currCert.getSubjectX500Principal());
+ debug.println("prevNC = " + prevNC +
+ ", currDN = " + currCert.getSubjectX500Principal());
}
try {
@@ -184,8 +184,8 @@
currCertImpl.getNameConstraintsExtension();
if (debug != null) {
- debug.println("prevNC = " + prevNC);
- debug.println("newNC = " + String.valueOf(newConstraints));
+ debug.println("prevNC = " + prevNC +
+ ", newNC = " + String.valueOf(newConstraints));
}
// if there are no previous name constraints, we just return the
@@ -225,8 +225,8 @@
String msg = "basic constraints";
if (debug != null) {
debug.println("---checking " + msg + "...");
- debug.println("i = " + i);
- debug.println("maxPathLength = " + maxPathLength);
+ debug.println("i = " + i +
+ ", maxPathLength = " + maxPathLength);
}
/* check if intermediate cert */
--- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Tue Mar 03 08:49:13 2015 -0800
+++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Tue Mar 03 14:16:49 2015 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -320,6 +320,14 @@
Set<TrustAnchor> trustAnchors, List<CertStore> certStores,
Date validity) throws CRLException, IOException {
+ if (debug != null) {
+ debug.println("DistributionPointFetcher.verifyCRL: " +
+ "checking revocation status for" +
+ "\n SN: " + Debug.toHexString(certImpl.getSerialNumber()) +
+ "\n Subject: " + certImpl.getSubjectX500Principal() +
+ "\n Issuer: " + certImpl.getIssuerX500Principal());
+ }
+
boolean indirectCRL = false;
X509CRLImpl crlImpl = X509CRLImpl.toImpl(crl);
IssuingDistributionPointExtension idpExt =
@@ -363,7 +371,9 @@
}
} else if (crlIssuer.equals(certIssuer) == false) {
if (debug != null) {
- debug.println("crl issuer does not equal cert issuer");
+ debug.println("crl issuer does not equal cert issuer.\n" +
+ "crl issuer: " + crlIssuer + "\n" +
+ "cert issuer: " + certIssuer);
}
return false;
} else {
--- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/ForwardBuilder.java Tue Mar 03 08:49:13 2015 -0800
+++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/ForwardBuilder.java Tue Mar 03 14:16:49 2015 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -209,7 +209,8 @@
* getMatchingEECerts
*/
if (debug != null) {
- debug.println("ForwardBuilder.getMatchingCACerts(): ca is target");
+ debug.println("ForwardBuilder.getMatchingCACerts(): " +
+ "the target is a CA");
}
if (caTargetSelector == null) {
@@ -291,8 +292,14 @@
for (X509Certificate trustedCert : trustedCerts) {
if (sel.match(trustedCert)) {
if (debug != null) {
- debug.println("ForwardBuilder.getMatchingCACerts: "
- + "found matching trust anchor");
+ debug.println("ForwardBuilder.getMatchingCACerts: " +
+ "found matching trust anchor." +
+ "\n SN: " +
+ Debug.toHexString(trustedCert.getSerialNumber()) +
+ "\n Subject: " +
+ trustedCert.getSubjectX500Principal() +
+ "\n Issuer: " +
+ trustedCert.getIssuerX500Principal());
}
if (caCerts.add(trustedCert) && !searchAllCertStores) {
return;
--- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/PKIXMasterCertPathValidator.java Tue Mar 03 08:49:13 2015 -0800
+++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/PKIXMasterCertPathValidator.java Tue Mar 03 14:16:49 2015 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -30,6 +30,7 @@
import java.util.Collections;
import java.util.List;
import java.util.Set;
+import java.util.StringJoiner;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidatorException;
import java.security.cert.PKIXCertPathChecker;
@@ -88,20 +89,25 @@
* current certificate of this loop to be the previous certificate
* of the next loop. The state is initialized during first loop.
*/
- if (debug != null)
- debug.println("Checking cert" + (i+1) + " ...");
+ X509Certificate currCert = reversedCertList.get(i);
- X509Certificate currCert = reversedCertList.get(i);
+ if (debug != null) {
+ debug.println("Checking cert" + (i+1) + " - Subject: " +
+ currCert.getSubjectX500Principal());
+ }
+
Set<String> unresCritExts = currCert.getCriticalExtensionOIDs();
if (unresCritExts == null) {
unresCritExts = Collections.<String>emptySet();
}
if (debug != null && !unresCritExts.isEmpty()) {
- debug.println("Set of critical extensions:");
+ StringJoiner joiner = new StringJoiner(", ", "{", "}");
for (String oid : unresCritExts) {
- debug.println(oid);
+ joiner.add(oid);
}
+ debug.println("Set of critical extensions: " +
+ joiner.toString());
}
for (int j = 0; j < certPathCheckers.size(); j++) {
--- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java Tue Mar 03 08:49:13 2015 -0800
+++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java Tue Mar 03 14:16:49 2015 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -343,11 +343,17 @@
PublicKey pubKey, boolean crlSignFlag)
throws CertPathValidatorException
{
+ if (debug != null) {
+ debug.println("RevocationChecker.check: checking cert" +
+ "\n SN: " + Debug.toHexString(xcert.getSerialNumber()) +
+ "\n Subject: " + xcert.getSubjectX500Principal() +
+ "\n Issuer: " + xcert.getIssuerX500Principal());
+ }
try {
if (onlyEE && xcert.getBasicConstraints() != -1) {
if (debug != null) {
- debug.println("Skipping revocation check, not end " +
- "entity cert");
+ debug.println("Skipping revocation check; cert is not " +
+ "an end entity cert");
}
return;
}
--- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java Tue Mar 03 08:49:13 2015 -0800
+++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java Tue Mar 03 14:16:49 2015 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -136,7 +136,8 @@
PKIXCertPathBuilderResult result = buildCertPath(false, adjList);
if (result == null) {
if (debug != null) {
- debug.println("SunCertPathBuilder.engineBuild: 2nd pass");
+ debug.println("SunCertPathBuilder.engineBuild: 2nd pass; " +
+ "try building again searching all certstores");
}
// try again
adjList.clear();
--- a/jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java Tue Mar 03 08:49:13 2015 -0800
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java Tue Mar 03 14:16:49 2015 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -818,6 +818,11 @@
} else {
warningSE(Alerts.alert_no_certificate);
}
+ if (debug != null && Debug.isOn("handshake")) {
+ System.out.println(
+ "Warning: no suitable certificate found - " +
+ "continuing without client authentication");
+ }
}
//
--- a/jdk/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java Tue Mar 03 08:49:13 2015 -0800
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java Tue Mar 03 14:16:49 2015 -0800
@@ -492,11 +492,14 @@
void print(PrintStream s) throws IOException {
s.println("*** Certificate chain");
- if (debug != null && Debug.isOn("verbose")) {
- for (int i = 0; i < chain.length; i++)
+ if (chain.length == 0) {
+ s.println("<Empty>");
+ } else if (debug != null && Debug.isOn("verbose")) {
+ for (int i = 0; i < chain.length; i++) {
s.println("chain [" + i + "] = " + chain[i]);
- s.println("***");
+ }
}
+ s.println("***");
}
X509Certificate[] getCertificateChain() {