Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8055207

keystore and truststore debug output could be much better

    XMLWordPrintable

    Details

    • Subcomponent:
    • Resolved In Build:
      b54
    • CPU:
      generic
    • OS:
      generic

      Backports

        Description

        Worked a recent case where alot of confusion existed around how the truststore and keystore got set up. The debug logs did not print the location of either AFAIK.

        The keystore was being specified correct via a system property but the application code loading the store was buggy :

        something like :
         InputStream kis =
                        getClass().getClassLoader().getResourceAsStream(keyfile);

        instead of :
        ks.load(new FileInputStream(keyfile), keypass.toCharArray());

        was being used to load in the certs.

        during client authentication this was observed with debug logs :

        ===================
        *** CertificateRequest
        <snip>
        *** ServerHelloDone
        [read] MD5 and SHA1 hashes: len = 4
        0000: 0E 00 00 00 ....
        *** Certificate chain
        ***
        <snip>
        *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
        ==================

        i.e "***" is used to denote no certs - that's poor from our side and we should at least print something like "no certs in keystore: <keystore location>"

        For comparison - this is what a successful loading of keystore looked like :

        *** CertificateRequest
        ....<snip>
            *** ServerHelloDone
        [read] MD5 and SHA1 hashes: len = 4
        0000: 0E 00 00 00 ....
        matching alias: mykey
        *** Certificate chain
        chain [0] = [
        <snip> --> Subject: CN=my company aaaaaa, O=Third Party, DC=db, DC=com
        chain [1] =
        <snip> --> Subject: CN=my company bbbbbbbb, OU=PKI, O=DD AG, C=DE
        chain [2] =
        <snip> --> Subject: CN=my company ccccccccc, OU=PKI, O=DD AG, C=DE

        <snip>
         *** ClientKeyExchange, RSA PreMasterSecret, TLSv1

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  vinnie Vincent Ryan
                  Reporter:
                  coffeys Sean Coffey
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: