changeset 11557:f7352b8a3cbf

8054037: Improve tracing for java.security.debug=certpath 8055207: keystore and truststore debug output could be much better Reviewed-by: mullan, coffeys, jnimeh
author juh
date Tue, 03 Mar 2015 14:16:49 -0800
parents c892d81d7bba
children 4503bd758762
files src/java.base/share/classes/java/security/cert/X509CertSelector.java src/java.base/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java src/java.base/share/classes/sun/security/provider/certpath/Builder.java src/java.base/share/classes/sun/security/provider/certpath/ConstraintsChecker.java src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java src/java.base/share/classes/sun/security/provider/certpath/ForwardBuilder.java src/java.base/share/classes/sun/security/provider/certpath/PKIXMasterCertPathValidator.java src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java
diffstat 11 files changed, 83 insertions(+), 35 deletions(-) [+]
line wrap: on
line diff
--- a/src/java.base/share/classes/java/security/cert/X509CertSelector.java	Tue Mar 03 08:49:13 2015 -0800
+++ b/src/java.base/share/classes/java/security/cert/X509CertSelector.java	Tue Mar 03 14:16:49 2015 -0800
@@ -2574,8 +2574,10 @@
         } else {
             if (maxPathLen < basicConstraints) {
                 if (debug != null) {
-                    debug.println("X509CertSelector.match: maxPathLen too small ("
-                        + maxPathLen + " < " + basicConstraints + ")");
+                    debug.println("X509CertSelector.match: cert's maxPathLen " +
+                            "is less than the min maxPathLen set by " +
+                            "basicConstraints. " +
+                            "(" + maxPathLen + " < " + basicConstraints + ")");
                 }
                 return false;
             }
--- a/src/java.base/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java	Tue Mar 03 08:49:13 2015 -0800
+++ b/src/java.base/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java	Tue Mar 03 14:16:49 2015 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -224,7 +224,8 @@
             if (extVal == null) {
                 if (debug != null) {
                     debug.println("AdaptableX509CertSelector.match: "
-                        + "no subject key ID extension");
+                        + "no subject key ID extension. Subject: "
+                        + xcert.getSubjectX500Principal());
                 }
                 return true;
             }
@@ -234,7 +235,9 @@
                     !Arrays.equals(ski, certSubjectKeyID)) {
                 if (debug != null) {
                     debug.println("AdaptableX509CertSelector.match: "
-                        + "subject key IDs don't match");
+                        + "subject key IDs don't match. "
+                        + "Expected: " + Arrays.toString(ski) + " "
+                        + "Cert's: " + Arrays.toString(certSubjectKeyID));
                 }
                 return false;
             }
--- a/src/java.base/share/classes/sun/security/provider/certpath/Builder.java	Tue Mar 03 08:49:13 2015 -0800
+++ b/src/java.base/share/classes/sun/security/provider/certpath/Builder.java	Tue Mar 03 14:16:49 2015 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -435,7 +435,12 @@
             if (selector.match(targetCert) && !X509CertImpl.isSelfSigned
                 (targetCert, buildParams.sigProvider())) {
                 if (debug != null) {
-                    debug.println("Builder.addMatchingCerts: adding target cert");
+                    debug.println("Builder.addMatchingCerts: " +
+                        "adding target cert" +
+                        "\n  SN: " + Debug.toHexString(
+                                            targetCert.getSerialNumber()) +
+                        "\n  Subject: " + targetCert.getSubjectX500Principal() +
+                        "\n  Issuer: " + targetCert.getIssuerX500Principal());
                 }
                 return resultCerts.add(targetCert);
             }
--- a/src/java.base/share/classes/sun/security/provider/certpath/ConstraintsChecker.java	Tue Mar 03 08:49:13 2015 -0800
+++ b/src/java.base/share/classes/sun/security/provider/certpath/ConstraintsChecker.java	Tue Mar 03 14:16:49 2015 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -145,8 +145,8 @@
         if (prevNC != null && ((i == certPathLength) ||
                 !X509CertImpl.isSelfIssued(currCert))) {
             if (debug != null) {
-                debug.println("prevNC = " + prevNC);
-                debug.println("currDN = " + currCert.getSubjectX500Principal());
+                debug.println("prevNC = " + prevNC +
+                    ", currDN = " + currCert.getSubjectX500Principal());
             }
 
             try {
@@ -184,8 +184,8 @@
             currCertImpl.getNameConstraintsExtension();
 
         if (debug != null) {
-            debug.println("prevNC = " + prevNC);
-            debug.println("newNC = " + String.valueOf(newConstraints));
+            debug.println("prevNC = " + prevNC +
+                        ", newNC = " + String.valueOf(newConstraints));
         }
 
         // if there are no previous name constraints, we just return the
@@ -225,8 +225,8 @@
         String msg = "basic constraints";
         if (debug != null) {
             debug.println("---checking " + msg + "...");
-            debug.println("i = " + i);
-            debug.println("maxPathLength = " + maxPathLength);
+            debug.println("i = " + i +
+                        ", maxPathLength = " + maxPathLength);
         }
 
         /* check if intermediate cert */
--- a/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java	Tue Mar 03 08:49:13 2015 -0800
+++ b/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java	Tue Mar 03 14:16:49 2015 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -320,6 +320,14 @@
         Set<TrustAnchor> trustAnchors, List<CertStore> certStores,
         Date validity) throws CRLException, IOException {
 
+        if (debug != null) {
+            debug.println("DistributionPointFetcher.verifyCRL: " +
+                "checking revocation status for" +
+                "\n  SN: " + Debug.toHexString(certImpl.getSerialNumber()) +
+                "\n  Subject: " + certImpl.getSubjectX500Principal() +
+                "\n  Issuer: " + certImpl.getIssuerX500Principal());
+        }
+
         boolean indirectCRL = false;
         X509CRLImpl crlImpl = X509CRLImpl.toImpl(crl);
         IssuingDistributionPointExtension idpExt =
@@ -363,7 +371,9 @@
             }
         } else if (crlIssuer.equals(certIssuer) == false) {
             if (debug != null) {
-                debug.println("crl issuer does not equal cert issuer");
+                debug.println("crl issuer does not equal cert issuer.\n" +
+                              "crl issuer: " + crlIssuer + "\n" +
+                              "cert issuer: " + certIssuer);
             }
             return false;
         } else {
--- a/src/java.base/share/classes/sun/security/provider/certpath/ForwardBuilder.java	Tue Mar 03 08:49:13 2015 -0800
+++ b/src/java.base/share/classes/sun/security/provider/certpath/ForwardBuilder.java	Tue Mar 03 14:16:49 2015 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -209,7 +209,8 @@
              * getMatchingEECerts
              */
             if (debug != null) {
-                debug.println("ForwardBuilder.getMatchingCACerts(): ca is target");
+                debug.println("ForwardBuilder.getMatchingCACerts(): " +
+                              "the target is a CA");
             }
 
             if (caTargetSelector == null) {
@@ -291,8 +292,14 @@
         for (X509Certificate trustedCert : trustedCerts) {
             if (sel.match(trustedCert)) {
                 if (debug != null) {
-                    debug.println("ForwardBuilder.getMatchingCACerts: "
-                        + "found matching trust anchor");
+                    debug.println("ForwardBuilder.getMatchingCACerts: " +
+                        "found matching trust anchor." +
+                        "\n  SN: " +
+                            Debug.toHexString(trustedCert.getSerialNumber()) +
+                        "\n  Subject: " +
+                            trustedCert.getSubjectX500Principal() +
+                        "\n  Issuer: " +
+                            trustedCert.getIssuerX500Principal());
                 }
                 if (caCerts.add(trustedCert) && !searchAllCertStores) {
                     return;
--- a/src/java.base/share/classes/sun/security/provider/certpath/PKIXMasterCertPathValidator.java	Tue Mar 03 08:49:13 2015 -0800
+++ b/src/java.base/share/classes/sun/security/provider/certpath/PKIXMasterCertPathValidator.java	Tue Mar 03 14:16:49 2015 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -30,6 +30,7 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Set;
+import java.util.StringJoiner;
 import java.security.cert.CertPath;
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.PKIXCertPathChecker;
@@ -88,20 +89,25 @@
              * current certificate of this loop to be the previous certificate
              * of the next loop. The state is initialized during first loop.
              */
-            if (debug != null)
-                debug.println("Checking cert" + (i+1) + " ...");
+            X509Certificate currCert = reversedCertList.get(i);
 
-            X509Certificate currCert = reversedCertList.get(i);
+            if (debug != null) {
+                debug.println("Checking cert" + (i+1) + " - Subject: " +
+                    currCert.getSubjectX500Principal());
+            }
+
             Set<String> unresCritExts = currCert.getCriticalExtensionOIDs();
             if (unresCritExts == null) {
                 unresCritExts = Collections.<String>emptySet();
             }
 
             if (debug != null && !unresCritExts.isEmpty()) {
-                debug.println("Set of critical extensions:");
+                StringJoiner joiner = new StringJoiner(", ", "{", "}");
                 for (String oid : unresCritExts) {
-                    debug.println(oid);
+                  joiner.add(oid);
                 }
+                debug.println("Set of critical extensions: " +
+                        joiner.toString());
             }
 
             for (int j = 0; j < certPathCheckers.size(); j++) {
--- a/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java	Tue Mar 03 08:49:13 2015 -0800
+++ b/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java	Tue Mar 03 14:16:49 2015 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -343,11 +343,17 @@
                        PublicKey pubKey, boolean crlSignFlag)
         throws CertPathValidatorException
     {
+        if (debug != null) {
+            debug.println("RevocationChecker.check: checking cert" +
+                "\n  SN: " + Debug.toHexString(xcert.getSerialNumber()) +
+                "\n  Subject: " + xcert.getSubjectX500Principal() +
+                "\n  Issuer: " + xcert.getIssuerX500Principal());
+        }
         try {
             if (onlyEE && xcert.getBasicConstraints() != -1) {
                 if (debug != null) {
-                    debug.println("Skipping revocation check, not end " +
-                                  "entity cert");
+                    debug.println("Skipping revocation check; cert is not " +
+                                  "an end entity cert");
                 }
                 return;
             }
--- a/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java	Tue Mar 03 08:49:13 2015 -0800
+++ b/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java	Tue Mar 03 14:16:49 2015 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -136,7 +136,8 @@
         PKIXCertPathBuilderResult result = buildCertPath(false, adjList);
         if (result == null) {
             if (debug != null) {
-                debug.println("SunCertPathBuilder.engineBuild: 2nd pass");
+                debug.println("SunCertPathBuilder.engineBuild: 2nd pass; " +
+                              "try building again searching all certstores");
             }
             // try again
             adjList.clear();
--- a/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java	Tue Mar 03 08:49:13 2015 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java	Tue Mar 03 14:16:49 2015 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -818,6 +818,11 @@
                 } else {
                     warningSE(Alerts.alert_no_certificate);
                 }
+                if (debug != null && Debug.isOn("handshake")) {
+                    System.out.println(
+                        "Warning: no suitable certificate found - " +
+                        "continuing without client authentication");
+                }
             }
 
             //
--- a/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java	Tue Mar 03 08:49:13 2015 -0800
+++ b/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java	Tue Mar 03 14:16:49 2015 -0800
@@ -492,11 +492,14 @@
     void print(PrintStream s) throws IOException {
         s.println("*** Certificate chain");
 
-        if (debug != null && Debug.isOn("verbose")) {
-            for (int i = 0; i < chain.length; i++)
+        if (chain.length == 0) {
+            s.println("<Empty>");
+        } else if (debug != null && Debug.isOn("verbose")) {
+            for (int i = 0; i < chain.length; i++) {
                 s.println("chain [" + i + "] = " + chain[i]);
-            s.println("***");
+            }
         }
+        s.println("***");
     }
 
     X509Certificate[] getCertificateChain() {