Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8055207

keystore and truststore debug output could be much better

XMLWordPrintable

    • b54
    • generic
    • generic

        Worked a recent case where alot of confusion existed around how the truststore and keystore got set up. The debug logs did not print the location of either AFAIK.

        The keystore was being specified correct via a system property but the application code loading the store was buggy :

        something like :
         InputStream kis =
                        getClass().getClassLoader().getResourceAsStream(keyfile);

        instead of :
        ks.load(new FileInputStream(keyfile), keypass.toCharArray());

        was being used to load in the certs.

        during client authentication this was observed with debug logs :

        ===================
        *** CertificateRequest
        <snip>
        *** ServerHelloDone
        [read] MD5 and SHA1 hashes: len = 4
        0000: 0E 00 00 00 ....
        *** Certificate chain
        ***
        <snip>
        *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
        ==================

        i.e "***" is used to denote no certs - that's poor from our side and we should at least print something like "no certs in keystore: <keystore location>"

        For comparison - this is what a successful loading of keystore looked like :

        *** CertificateRequest
        ....<snip>
            *** ServerHelloDone
        [read] MD5 and SHA1 hashes: len = 4
        0000: 0E 00 00 00 ....
        matching alias: mykey
        *** Certificate chain
        chain [0] = [
        <snip> --> Subject: CN=my company aaaaaa, O=Third Party, DC=db, DC=com
        chain [1] =
        <snip> --> Subject: CN=my company bbbbbbbb, OU=PKI, O=DD AG, C=DE
        chain [2] =
        <snip> --> Subject: CN=my company ccccccccc, OU=PKI, O=DD AG, C=DE

        <snip>
         *** ClientKeyExchange, RSA PreMasterSecret, TLSv1

              vinnie Vincent Ryan
              coffeys Sean Coffey
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: