On Wed, 7 Feb 2024 14:19:03 GMT, Sean Coffey <coff...@openjdk.org> wrote:
>> During the time of server certificate validation, users have the flexibility >> to use a custom X509 Key Manager implementation by extending >> "X509ExtendedKeyManager.". >> In such cases, printing the class name in X509Authentication.java will be >> helpful to trace any failure of the SSL connection due to a certificate >> issue. >> >> I've tested the code by running the custom X509 manager, the default X509 >> manager, and passing the null key manager. >> The screen shots are attached here. >> [x509_screen_shot_testing.zip](https://github.com/openjdk/jdk/files/14189852/x509_screen_shot_testing.zip) >> >> Also, the internal test runs against this fix are green > > src/java.base/share/classes/sun/security/ssl/X509Authentication.java line 205: > >> 203: X509ExtendedKeyManager km = chc.sslContext.getX509KeyManager(); >> 204: if (SSLLogger.isOn && SSLLogger.isOn("ssl")) { >> 205: SSLLogger.finest("X509ExtendedKeyManager being used: " + > > Could the JBS title be made more descriptive ? It's quite vague. > > I wonder if "X509KeyManager class: " would be better for displaying. > > `createServerPossession` would also benefit from this logging enhancement. I > wonder if this belongs in logging during SSLContext creation time instead. > Other security-dev engineers may have opinion on that. > > IIRC, there's another issue open where we iterate over the certificate > contexts of custom tm/km types. The JDK src does it at the moment for the > default tm/km but no output given for custom impl. Will be good to have that > tied up at some stage also. I have changed the title to reflect the specific change made here. I'll make changes in createServerPossession as well. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/17742#discussion_r1481655887