Since Sean and you are asking similar questions, I'll answer it here.
It was to be consistent with by using the Debug class. If a change is
made to Debug to print elsewhere, what I have now is compatible.
Sending it to stderr is basically saying that Debug is a useless class
and we should just print System.err.println() instead.
As for why the stack trace is there, like I said in the comment, if
there is a situation that should or should not have been blocked, we
know what path it took. There are many methods that send data through
this code and having this debug info allows us to quickly find why it
happened instead of trying to recreating the situation. Other
constraints deny or allow all ops. This being usage-based, where SHA1
could be blocked for one usage, but not for another on the same security
property need more detailed debugging, in my opinion.
About the extra data, I don't believe it's that much more and there
isn't a way to find out the information that would be needed. The
situation of the problem may not be reproducible in our environment
because the user doesn't want to give up their certs or know their app
is performing that usage. If dumpStack() is less data than
printStackTrace(), I'm fine with switching as long as I get the same info.
It would be nice if there was a verbose option. We could turn off
AdaptiveX509Selector that prints every check in byte level detail which
overflows jtreg's buffer all the time :-)
Tony
On 03/08/2017 01:42 PM, Xuelei Fan wrote:
Looks fine to me except a minor comment.
In the update of DisabledAlgorithmConstraints.java, the dumping of stack
trace for every checking could increase the debug log size a lot. There
is no verbose option for 'certpath' debug. What do you think if only
dumping the log when the usage is not allowed?
Xuelei
On 3/8/2017 1:15 PM, Anthony Scarpino wrote:
Hi,
I need a code review of this small change.. The PKIX path for usage
checking didn't pass the variant to the checkers because of a previous
needed check for plugins.
http://cr.openjdk.java.net/~ascarpino/8176350/webrev/
thanks
Tony
