8054037: Improve tracing for java.security.debug=certpath

8055207: keystore and truststore debug output could be much better Reviewed-by: mullan, coffeys, jnimeh

8054037: Improve tracing for java.security.debug=certpath
8055207: keystore and truststore debug output could be much better Reviewed-by: mullan, coffeys, jnimeh
ed36abb8 · juh · c53b4e20 · ed36abb8 · ed36abb8 · ed36abb8
11 changed file
--- a/src/share/classes/java/security/cert/X509CertSelector.java
+++ b/src/share/classes/java/security/cert/X509CertSelector.java
@@ -2574,8 +2574,10 @@ public class X509CertSelector implements CertSelector {
        } else {
            if (maxPathLen < basicConstraints) {
                if (debug != null) {
-                    debug.println("X509CertSelector.match: maxPathLen too small ("
+                    debug.println("X509CertSelector.match: cert's maxPathLen " +
-                        + maxPathLen + " < " + basicConstraints + ")");
+                            "is less than the min maxPathLen set by " +
+                            "basicConstraints. " +
+                            "(" + maxPathLen + " < " + basicConstraints + ")");
                }
                return false;
            }

--- a/src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java
+++ b/src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java
 /*
- * Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -224,7 +224,8 @@ class AdaptableX509CertSelector extends X509CertSelector {
            if (extVal == null) {
                if (debug != null) {
                    debug.println("AdaptableX509CertSelector.match: "
-                        + "no subject key ID extension");
+                        + "no subject key ID extension. Subject: "
+                        + xcert.getSubjectX500Principal());
                }
                return true;
            }
@@ -234,7 +235,9 @@ class AdaptableX509CertSelector extends X509CertSelector {
                    !Arrays.equals(ski, certSubjectKeyID)) {
                if (debug != null) {
                    debug.println("AdaptableX509CertSelector.match: "
-                        + "subject key IDs don't match");
+                        + "subject key IDs don't match. "
+                        + "Expected: " + Arrays.toString(ski) + " "
+                        + "Cert's: " + Arrays.toString(certSubjectKeyID));
                }
                return false;
            }

--- a/src/share/classes/sun/security/provider/certpath/Builder.java
+++ b/src/share/classes/sun/security/provider/certpath/Builder.java
 /*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -435,7 +435,12 @@ public abstract class Builder {
            if (selector.match(targetCert) && !X509CertImpl.isSelfSigned
                (targetCert, buildParams.sigProvider())) {
                if (debug != null) {
-                    debug.println("Builder.addMatchingCerts: adding target cert");
+                    debug.println("Builder.addMatchingCerts: " +
+                        "adding target cert" +
+                        "\n  SN: " + Debug.toHexString(
+                                            targetCert.getSerialNumber()) +
+                        "\n  Subject: " + targetCert.getSubjectX500Principal() +
+                        "\n  Issuer: " + targetCert.getIssuerX500Principal());
                }
                return resultCerts.add(targetCert);
            }

--- a/src/share/classes/sun/security/provider/certpath/ConstraintsChecker.java
+++ b/src/share/classes/sun/security/provider/certpath/ConstraintsChecker.java
 /*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -145,8 +145,8 @@ class ConstraintsChecker extends PKIXCertPathChecker {
        if (prevNC != null && ((i == certPathLength) ||
                !X509CertImpl.isSelfIssued(currCert))) {
            if (debug != null) {
-                debug.println("prevNC = " + prevNC);
+                debug.println("prevNC = " + prevNC +
-                debug.println("currDN = " + currCert.getSubjectX500Principal());
+                    ", currDN = " + currCert.getSubjectX500Principal());
            }
            try {
@@ -184,8 +184,8 @@ class ConstraintsChecker extends PKIXCertPathChecker {
            currCertImpl.getNameConstraintsExtension();
        if (debug != null) {
-            debug.println("prevNC = " + prevNC);
+            debug.println("prevNC = " + prevNC +
-            debug.println("newNC = " + String.valueOf(newConstraints));
+                        ", newNC = " + String.valueOf(newConstraints));
        }
        // if there are no previous name constraints, we just return the
@@ -225,8 +225,8 @@ class ConstraintsChecker extends PKIXCertPathChecker {
        String msg = "basic constraints";
        if (debug != null) {
            debug.println("---checking " + msg + "...");
-            debug.println("i = " + i);
+            debug.println("i = " + i +
-            debug.println("maxPathLength = " + maxPathLength);
+                        ", maxPathLength = " + maxPathLength);
        }
        /* check if intermediate cert */

--- a/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
+++ b/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
 /*
- * Copyright (c) 2002, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -320,6 +320,14 @@ public class DistributionPointFetcher {
        Set<TrustAnchor> trustAnchors, List<CertStore> certStores,
        Date validity) throws CRLException, IOException {
+        if (debug != null) {
+            debug.println("DistributionPointFetcher.verifyCRL: " +
+                "checking revocation status for" +
+                "\n  SN: " + Debug.toHexString(certImpl.getSerialNumber()) +
+                "\n  Subject: " + certImpl.getSubjectX500Principal() +
+                "\n  Issuer: " + certImpl.getIssuerX500Principal());
+        }
        boolean indirectCRL = false;
        X509CRLImpl crlImpl = X509CRLImpl.toImpl(crl);
        IssuingDistributionPointExtension idpExt =
@@ -363,7 +371,9 @@ public class DistributionPointFetcher {
            }
        } else if (crlIssuer.equals(certIssuer) == false) {
            if (debug != null) {
-                debug.println("crl issuer does not equal cert issuer");
+                debug.println("crl issuer does not equal cert issuer.\n" +
+                              "crl issuer: " + crlIssuer + "\n" +
+                              "cert issuer: " + certIssuer);
            }
            return false;
        } else {

--- a/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
+++ b/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
 /*
- * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -209,7 +209,8 @@ class ForwardBuilder extends Builder {
             * getMatchingEECerts
             */
            if (debug != null) {
-                debug.println("ForwardBuilder.getMatchingCACerts(): ca is target");
+                debug.println("ForwardBuilder.getMatchingCACerts(): " +
+                              "the target is a CA");
            }
            if (caTargetSelector == null) {
@@ -291,8 +292,14 @@ class ForwardBuilder extends Builder {
        for (X509Certificate trustedCert : trustedCerts) {
            if (sel.match(trustedCert)) {
                if (debug != null) {
-                    debug.println("ForwardBuilder.getMatchingCACerts: "
+                    debug.println("ForwardBuilder.getMatchingCACerts: " +
-                        + "found matching trust anchor");
+                        "found matching trust anchor." +
+                        "\n  SN: " +
+                            Debug.toHexString(trustedCert.getSerialNumber()) +
+                        "\n  Subject: " +
+                            trustedCert.getSubjectX500Principal() +
+                        "\n  Issuer: " +
+                            trustedCert.getIssuerX500Principal());
                }
                if (caCerts.add(trustedCert) && !searchAllCertStores) {
                    return;

--- a/src/share/classes/sun/security/provider/certpath/PKIXMasterCertPathValidator.java
+++ b/src/share/classes/sun/security/provider/certpath/PKIXMasterCertPathValidator.java
 /*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -30,6 +30,7 @@ import sun.security.util.Debug;
 import java.util.Collections;
 import java.util.List;
 import java.util.Set;
+import java.util.StringJoiner;
 import java.security.cert.CertPath;
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.PKIXCertPathChecker;
@@ -88,20 +89,25 @@ class PKIXMasterCertPathValidator {
             * current certificate of this loop to be the previous certificate
             * of the next loop. The state is initialized during first loop.
             */
-            if (debug != null)
-                debug.println("Checking cert" + (i+1) + " ...");
            X509Certificate currCert = reversedCertList.get(i);
+            if (debug != null) {
+                debug.println("Checking cert" + (i+1) + " - Subject: " +
+                    currCert.getSubjectX500Principal());
+            }
            Set<String> unresCritExts = currCert.getCriticalExtensionOIDs();
            if (unresCritExts == null) {
                unresCritExts = Collections.<String>emptySet();
            }
            if (debug != null && !unresCritExts.isEmpty()) {
-                debug.println("Set of critical extensions:");
+                StringJoiner joiner = new StringJoiner(", ", "{", "}");
                for (String oid : unresCritExts) {
-                    debug.println(oid);
+                  joiner.add(oid);
                }
+                debug.println("Set of critical extensions: " +
+                        joiner.toString());
            }
            for (int j = 0; j < certPathCheckers.size(); j++) {

--- a/src/share/classes/sun/security/provider/certpath/RevocationChecker.java
+++ b/src/share/classes/sun/security/provider/certpath/RevocationChecker.java
 /*
- * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -343,11 +343,17 @@ class RevocationChecker extends PKIXRevocationChecker {
                       PublicKey pubKey, boolean crlSignFlag)
        throws CertPathValidatorException
    {
+        if (debug != null) {
+            debug.println("RevocationChecker.check: checking cert" +
+                "\n  SN: " + Debug.toHexString(xcert.getSerialNumber()) +
+                "\n  Subject: " + xcert.getSubjectX500Principal() +
+                "\n  Issuer: " + xcert.getIssuerX500Principal());
+        }
        try {
            if (onlyEE && xcert.getBasicConstraints() != -1) {
                if (debug != null) {
-                    debug.println("Skipping revocation check, not end " +
+                    debug.println("Skipping revocation check; cert is not " +
-                                  "entity cert");
+                                  "an end entity cert");
                }
                return;
            }

--- a/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
+++ b/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
 /*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -136,7 +136,8 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi {
        PKIXCertPathBuilderResult result = buildCertPath(false, adjList);
        if (result == null) {
            if (debug != null) {
-                debug.println("SunCertPathBuilder.engineBuild: 2nd pass");
+                debug.println("SunCertPathBuilder.engineBuild: 2nd pass; " +
+                              "try building again searching all certstores");
            }
            // try again
            adjList.clear();

--- a/src/share/classes/sun/security/ssl/ClientHandshaker.java
+++ b/src/share/classes/sun/security/ssl/ClientHandshaker.java
 /*
- * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -818,6 +818,11 @@ final class ClientHandshaker extends Handshaker {
                } else {
                    warningSE(Alerts.alert_no_certificate);
                }
+                if (debug != null && Debug.isOn("handshake")) {
+                    System.out.println(
+                        "Warning: no suitable certificate found - " +
+                        "continuing without client authentication");
+                }
            }
            //

--- a/src/share/classes/sun/security/ssl/HandshakeMessage.java
+++ b/src/share/classes/sun/security/ssl/HandshakeMessage.java
@@ -492,11 +492,14 @@ class CertificateMsg extends HandshakeMessage
    void print(PrintStream s) throws IOException {
        s.println("*** Certificate chain");
-        if (debug != null && Debug.isOn("verbose")) {
+        if (chain.length == 0) {
-            for (int i = 0; i < chain.length; i++)
+            s.println("<Empty>");
+        } else if (debug != null && Debug.isOn("verbose")) {
+            for (int i = 0; i < chain.length; i++) {
                s.println("chain [" + i + "] = " + chain[i]);
-            s.println("***");
+            }
        }
+        s.println("***");
    }
    X509Certificate[] getCertificateChain() {