8056026: Debug security logging should print Provider used for each crypto operation
authorvinnie
Thu, 25 Sep 2014 12:24:19 +0100
changeset 26736 5a93000b26cd
parent 26735 4502faa0cc22
child 26758 e4e2ba08614b
8056026: Debug security logging should print Provider used for each crypto operation Reviewed-by: mullan
jdk/src/java.base/share/classes/java/security/KeyPairGenerator.java
jdk/src/java.base/share/classes/java/security/KeyStore.java
jdk/src/java.base/share/classes/java/security/MessageDigest.java
jdk/src/java.base/share/classes/java/security/SecureRandom.java
jdk/src/java.base/share/classes/java/security/Signature.java
jdk/src/java.base/share/classes/javax/crypto/Cipher.java
jdk/src/java.base/share/classes/javax/crypto/KeyAgreement.java
jdk/src/java.base/share/classes/javax/crypto/KeyGenerator.java
jdk/src/java.base/share/classes/javax/crypto/Mac.java
jdk/src/java.base/share/classes/sun/security/util/Debug.java
--- a/jdk/src/java.base/share/classes/java/security/KeyPairGenerator.java	Thu Sep 25 13:03:27 2014 +0200
+++ b/jdk/src/java.base/share/classes/java/security/KeyPairGenerator.java	Thu Sep 25 12:24:19 2014 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -33,6 +33,7 @@
 
 import sun.security.jca.*;
 import sun.security.jca.GetInstance.Instance;
+import sun.security.util.Debug;
 
 /**
  * The KeyPairGenerator class is used to generate pairs of
@@ -126,6 +127,11 @@
 
 public abstract class KeyPairGenerator extends KeyPairGeneratorSpi {
 
+    private static final Debug pdebug =
+                        Debug.getInstance("provider", "Provider");
+    private static final boolean skipDebug =
+        Debug.isOn("engine=") && !Debug.isOn("keypairgenerator");
+
     private final String algorithm;
 
     // The provider
@@ -167,6 +173,12 @@
             kpg = new Delegate(spi, algorithm);
         }
         kpg.provider = instance.provider;
+
+        if (!skipDebug && pdebug != null) {
+            pdebug.println("KeyPairGenerator." + algorithm +
+                " algorithm from: " + kpg.provider.getName());
+        }
+
         return kpg;
     }
 
@@ -557,6 +569,11 @@
             provider = instance.provider;
             this.serviceIterator = serviceIterator;
             initType = I_NONE;
+
+            if (!skipDebug && pdebug != null) {
+                pdebug.println("KeyPairGenerator." + algorithm +
+                    " algorithm from: " + provider.getName());
+            }
         }
 
         /**
--- a/jdk/src/java.base/share/classes/java/security/KeyStore.java	Thu Sep 25 13:03:27 2014 +0200
+++ b/jdk/src/java.base/share/classes/java/security/KeyStore.java	Thu Sep 25 12:24:19 2014 +0100
@@ -37,6 +37,8 @@
 import javax.security.auth.DestroyFailedException;
 import javax.security.auth.callback.*;
 
+import sun.security.util.Debug;
+
 /**
  * This class represents a storage facility for cryptographic
  * keys and certificates.
@@ -177,6 +179,11 @@
 
 public class KeyStore {
 
+    private static final Debug pdebug =
+                        Debug.getInstance("provider", "Provider");
+    private static final boolean skipDebug =
+        Debug.isOn("engine=") && !Debug.isOn("keystore");
+
     /*
      * Constant to lookup in the Security properties file to determine
      * the default keystore type.
@@ -801,6 +808,11 @@
         this.keyStoreSpi = keyStoreSpi;
         this.provider = provider;
         this.type = type;
+
+        if (!skipDebug && pdebug != null) {
+            pdebug.println("KeyStore." + type.toUpperCase() + " type from: " +
+                this.provider.getName());
+        }
     }
 
     /**
--- a/jdk/src/java.base/share/classes/java/security/MessageDigest.java	Thu Sep 25 13:03:27 2014 +0200
+++ b/jdk/src/java.base/share/classes/java/security/MessageDigest.java	Thu Sep 25 12:24:19 2014 +0100
@@ -35,6 +35,8 @@
 
 import java.nio.ByteBuffer;
 
+import sun.security.util.Debug;
+
 /**
  * This MessageDigest class provides applications the functionality of a
  * message digest algorithm, such as SHA-1 or SHA-256.
@@ -103,6 +105,11 @@
 
 public abstract class MessageDigest extends MessageDigestSpi {
 
+    private static final Debug pdebug =
+                        Debug.getInstance("provider", "Provider");
+    private static final boolean skipDebug =
+        Debug.isOn("engine=") && !Debug.isOn("messagedigest");
+
     private String algorithm;
 
     // The state of this digest
@@ -156,18 +163,23 @@
     public static MessageDigest getInstance(String algorithm)
     throws NoSuchAlgorithmException {
         try {
+            MessageDigest md;
             Object[] objs = Security.getImpl(algorithm, "MessageDigest",
                                              (String)null);
             if (objs[0] instanceof MessageDigest) {
-                MessageDigest md = (MessageDigest)objs[0];
-                md.provider = (Provider)objs[1];
-                return md;
+                md = (MessageDigest)objs[0];
             } else {
-                MessageDigest delegate =
-                    new Delegate((MessageDigestSpi)objs[0], algorithm);
-                delegate.provider = (Provider)objs[1];
-                return delegate;
+                md = new Delegate((MessageDigestSpi)objs[0], algorithm);
             }
+            md.provider = (Provider)objs[1];
+
+            if (!skipDebug && pdebug != null) {
+                pdebug.println("MessageDigest." + algorithm +
+                    " algorithm from: " + md.provider.getName());
+            }
+
+            return md;
+
         } catch(NoSuchProviderException e) {
             throw new NoSuchAlgorithmException(algorithm + " not found");
         }
--- a/jdk/src/java.base/share/classes/java/security/SecureRandom.java	Thu Sep 25 13:03:27 2014 +0200
+++ b/jdk/src/java.base/share/classes/java/security/SecureRandom.java	Thu Sep 25 12:24:19 2014 +0100
@@ -32,6 +32,7 @@
 
 import sun.security.jca.*;
 import sun.security.jca.GetInstance.Instance;
+import sun.security.util.Debug;
 
 /**
  * This class provides a cryptographically strong random number
@@ -93,6 +94,11 @@
 
 public class SecureRandom extends java.util.Random {
 
+    private static final Debug pdebug =
+                        Debug.getInstance("provider", "Provider");
+    private static final boolean skipDebug =
+        Debug.isOn("engine=") && !Debug.isOn("securerandom");
+
     /**
      * The provider.
      *
@@ -235,6 +241,11 @@
         this.secureRandomSpi = secureRandomSpi;
         this.provider = provider;
         this.algorithm = algorithm;
+
+        if (!skipDebug && pdebug != null) {
+            pdebug.println("SecureRandom." + algorithm +
+                " algorithm from: " + this.provider.getName());
+        }
     }
 
     /**
--- a/jdk/src/java.base/share/classes/java/security/Signature.java	Thu Sep 25 13:03:27 2014 +0200
+++ b/jdk/src/java.base/share/classes/java/security/Signature.java	Thu Sep 25 12:24:19 2014 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -121,6 +121,11 @@
     private static final Debug debug =
                         Debug.getInstance("jca", "Signature");
 
+    private static final Debug pdebug =
+                        Debug.getInstance("provider", "Provider");
+    private static final boolean skipDebug =
+        Debug.isOn("engine=") && !Debug.isOn("signature");
+
     /*
      * The algorithm for this signature object.
      * This value is used to map an OID to the particular algorithm.
@@ -451,6 +456,11 @@
             throws InvalidKeyException {
         engineInitVerify(publicKey);
         state = VERIFY;
+
+        if (!skipDebug && pdebug != null) {
+            pdebug.println("Signature." + algorithm +
+                " verification algorithm from: " + this.provider.getName());
+        }
     }
 
     /**
@@ -495,6 +505,11 @@
         PublicKey publicKey = certificate.getPublicKey();
         engineInitVerify(publicKey);
         state = VERIFY;
+
+        if (!skipDebug && pdebug != null) {
+            pdebug.println("Signature." + algorithm +
+                " verification algorithm from: " + this.provider.getName());
+        }
     }
 
     /**
@@ -511,6 +526,11 @@
             throws InvalidKeyException {
         engineInitSign(privateKey);
         state = SIGN;
+
+        if (!skipDebug && pdebug != null) {
+            pdebug.println("Signature." + algorithm +
+                " signing algorithm from: " + this.provider.getName());
+        }
     }
 
     /**
@@ -529,6 +549,11 @@
             throws InvalidKeyException {
         engineInitSign(privateKey, random);
         state = SIGN;
+
+        if (!skipDebug && pdebug != null) {
+            pdebug.println("Signature." + algorithm +
+                " signing algorithm from: " + this.provider.getName());
+        }
     }
 
     /**
--- a/jdk/src/java.base/share/classes/javax/crypto/Cipher.java	Thu Sep 25 13:03:27 2014 +0200
+++ b/jdk/src/java.base/share/classes/javax/crypto/Cipher.java	Thu Sep 25 12:24:19 2014 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -167,6 +167,11 @@
     private static final Debug debug =
                         Debug.getInstance("jca", "Cipher");
 
+    private static final Debug pdebug =
+                        Debug.getInstance("provider", "Provider");
+    private static final boolean skipDebug =
+        Debug.isOn("engine=") && !Debug.isOn("cipher");
+
     /**
      * Constant used to initialize cipher to encryption mode.
      */
@@ -1110,6 +1115,21 @@
         }
     }
 
+    private static String getOpmodeString(int opmode) {
+        switch (opmode) {
+            case ENCRYPT_MODE:
+                return "encryption";
+            case DECRYPT_MODE:
+                return "decryption";
+            case WRAP_MODE:
+                return "key wrapping";
+            case UNWRAP_MODE:
+                return "key unwrapping";
+            default:
+                return "";
+        }
+    }
+
     /**
      * Initializes this cipher with a key.
      *
@@ -1235,6 +1255,12 @@
 
         initialized = true;
         this.opmode = opmode;
+
+        if (!skipDebug && pdebug != null) {
+            pdebug.println("Cipher." + transformation + " " +
+                getOpmodeString(opmode) + " algorithm from: " +
+                this.provider.getName());
+        }
     }
 
     /**
@@ -1372,6 +1398,12 @@
 
         initialized = true;
         this.opmode = opmode;
+
+        if (!skipDebug && pdebug != null) {
+            pdebug.println("Cipher." + transformation + " " +
+                getOpmodeString(opmode) + " algorithm from: " +
+                this.provider.getName());
+        }
     }
 
     /**
@@ -1509,6 +1541,12 @@
 
         initialized = true;
         this.opmode = opmode;
+
+        if (!skipDebug && pdebug != null) {
+            pdebug.println("Cipher." + transformation + " " +
+                getOpmodeString(opmode) + " algorithm from: " +
+                this.provider.getName());
+        }
     }
 
     /**
@@ -1693,6 +1731,12 @@
 
         initialized = true;
         this.opmode = opmode;
+
+        if (!skipDebug && pdebug != null) {
+            pdebug.println("Cipher." + transformation + " " +
+                getOpmodeString(opmode) + " algorithm from: " +
+                this.provider.getName());
+        }
     }
 
     /**
--- a/jdk/src/java.base/share/classes/javax/crypto/KeyAgreement.java	Thu Sep 25 13:03:27 2014 +0200
+++ b/jdk/src/java.base/share/classes/javax/crypto/KeyAgreement.java	Thu Sep 25 12:24:19 2014 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -78,6 +78,11 @@
     private static final Debug debug =
                         Debug.getInstance("jca", "KeyAgreement");
 
+    private static final Debug pdebug =
+                        Debug.getInstance("provider", "Provider");
+    private static final boolean skipDebug =
+        Debug.isOn("engine=") && !Debug.isOn("keyagreement");
+
     // The provider
     private Provider provider;
 
@@ -468,6 +473,11 @@
                 throw new InvalidKeyException(e);
             }
         }
+
+        if (!skipDebug && pdebug != null) {
+            pdebug.println("KeyAgreement." + algorithm + " algorithm from: " +
+                this.provider.getName());
+        }
     }
 
     /**
@@ -524,6 +534,11 @@
         } else {
             chooseProvider(I_PARAMS, key, params, random);
         }
+
+        if (!skipDebug && pdebug != null) {
+            pdebug.println("KeyAgreement." + algorithm + " algorithm from: " +
+                this.provider.getName());
+        }
     }
 
     /**
--- a/jdk/src/java.base/share/classes/javax/crypto/KeyGenerator.java	Thu Sep 25 13:03:27 2014 +0200
+++ b/jdk/src/java.base/share/classes/javax/crypto/KeyGenerator.java	Thu Sep 25 12:24:19 2014 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -33,6 +33,7 @@
 
 import sun.security.jca.*;
 import sun.security.jca.GetInstance.Instance;
+import sun.security.util.Debug;
 
 /**
  * This class provides the functionality of a secret (symmetric) key generator.
@@ -108,6 +109,11 @@
 
 public class KeyGenerator {
 
+    private static final Debug pdebug =
+                        Debug.getInstance("provider", "Provider");
+    private static final boolean skipDebug =
+        Debug.isOn("engine=") && !Debug.isOn("keygenerator");
+
     // see java.security.KeyPairGenerator for failover notes
 
     private final static int I_NONE   = 1;
@@ -145,6 +151,11 @@
         this.spi = keyGenSpi;
         this.provider = provider;
         this.algorithm = algorithm;
+
+        if (!skipDebug && pdebug != null) {
+            pdebug.println("KeyGenerator." + algorithm + " algorithm from: " +
+                this.provider.getName());
+        }
     }
 
     private KeyGenerator(String algorithm) throws NoSuchAlgorithmException {
@@ -158,6 +169,11 @@
             throw new NoSuchAlgorithmException
                 (algorithm + " KeyGenerator not available");
         }
+
+        if (!skipDebug && pdebug != null) {
+            pdebug.println("KeyGenerator." + algorithm + " algorithm from: " +
+                this.provider.getName());
+        }
     }
 
     /**
--- a/jdk/src/java.base/share/classes/javax/crypto/Mac.java	Thu Sep 25 13:03:27 2014 +0200
+++ b/jdk/src/java.base/share/classes/javax/crypto/Mac.java	Thu Sep 25 12:24:19 2014 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -77,6 +77,11 @@
     private static final Debug debug =
                         Debug.getInstance("jca", "Mac");
 
+    private static final Debug pdebug =
+                        Debug.getInstance("provider", "Provider");
+    private static final boolean skipDebug =
+        Debug.isOn("engine=") && !Debug.isOn("mac");
+
     // The provider
     private Provider provider;
 
@@ -413,6 +418,11 @@
             throw new InvalidKeyException("init() failed", e);
         }
         initialized = true;
+
+        if (!skipDebug && pdebug != null) {
+            pdebug.println("Mac." + algorithm + " algorithm from: " +
+                this.provider.getName());
+        }
     }
 
     /**
@@ -435,6 +445,11 @@
             chooseProvider(key, params);
         }
         initialized = true;
+
+        if (!skipDebug && pdebug != null) {
+            pdebug.println("Mac." + algorithm + " algorithm from: " +
+                this.provider.getName());
+        }
     }
 
     /**
--- a/jdk/src/java.base/share/classes/sun/security/util/Debug.java	Thu Sep 25 13:03:27 2014 +0200
+++ b/jdk/src/java.base/share/classes/sun/security/util/Debug.java	Thu Sep 25 12:24:19 2014 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -104,7 +104,15 @@
         System.err.println("codebase=<URL>");
         System.err.println("              only dump output if specified codebase");
         System.err.println("              is being checked");
-
+        System.err.println();
+        System.err.println("The following can be used with provider:");
+        System.err.println();
+        System.err.println("engine=<engines>");
+        System.err.println("              only dump output for the specified list");
+        System.err.println("              of JCA engines. Supported values:");
+        System.err.println("              Cipher, KeyAgreement, KeyGenerator,");
+        System.err.println("              KeyPairGenerator, KeyStore, Mac,");
+        System.err.println("              MessageDigest, SecureRandom, Signature.");
         System.err.println();
         System.err.println("Note: Separate multiple options with a comma");
         System.exit(0);