On Wed, 7 Feb 2024 06:36:10 GMT, Prajwal Kumaraswamy <pkumarasw...@openjdk.org> wrote:
> During the time of server certificate validation, users have the flexibility > to use a custom X509 Key Manager implementation by extending > "X509ExtendedKeyManager.". > In such cases, printing the class name in X509Authentication.java will be > helpful to trace any failure of the SSL connection due to a certificate issue. > > I've tested the code by running the custom X509 manager, the default X509 > manager, and passing the null key manager. > The screen shots are attached here. > [x509_screen_shot_testing.zip](https://github.com/openjdk/jdk/files/14189852/x509_screen_shot_testing.zip) > > Also, the internal test runs against this fix are green src/java.base/share/classes/sun/security/ssl/X509Authentication.java line 205: > 203: X509ExtendedKeyManager km = chc.sslContext.getX509KeyManager(); > 204: if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { > 205: SSLLogger.finest("X509ExtendedKeyManager being used: " + Could the JBS title be made more descriptive ? It's quite vague. I wonder if "X509KeyManager class: " would be better for displaying. `createServerPossession` would also benefit from this logging enhancement. I wonder if this belongs in logging during SSLContext creation time instead. Other security-dev engineers may have opinion on that. IIRC, there's another issue open where we iterate over the certificate contexts of custom tm/km types. The JDK src does it at the moment for the default tm/km but no output given for custom impl. Will be good to have that tied up at some stage also. src/java.base/share/classes/sun/security/ssl/X509Authentication.java line 206: > 204: if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { > 205: SSLLogger.finest("X509ExtendedKeyManager being used: " + > 206: (km == null ? "null" : km.getClass().getName())); do you need to cater for null ? I thought a Dummy manager is returned in such scenarios. ------------- PR Review: https://git.openjdk.org/jdk/pull/17742#pullrequestreview-1867928511 PR Review Comment: https://git.openjdk.org/jdk/pull/17742#discussion_r1481545987 PR Review Comment: https://git.openjdk.org/jdk/pull/17742#discussion_r1481546624