mirror of
https://github.com/openjdk/jdk.git
synced 2025-08-28 07:14:30 +02:00
8148188: Enhance the security libraries to record events of interest
Reviewed-by: egahlin, mullan, weijun, xuelei
This commit is contained in:
Sean Coffey
parent
dc260a5369
commit
73ad9c4a00
35 changed files with 2617 additions and 8 deletions
|
|
@ -26,12 +26,15 @@
|
|||
package sun.security.provider;
|
||||
|
||||
import java.io.*;
|
||||
import java.security.PublicKey;
|
||||
import java.util.*;
|
||||
import java.security.cert.*;
|
||||
|
||||
import jdk.internal.event.EventHelper;
|
||||
import jdk.internal.event.X509CertificateEvent;
|
||||
import sun.security.util.KeyUtil;
|
||||
import sun.security.util.Pem;
|
||||
import sun.security.x509.X509CertImpl;
|
||||
import sun.security.x509.X509CRLImpl;
|
||||
import sun.security.x509.*;
|
||||
import sun.security.pkcs.PKCS7;
|
||||
import sun.security.provider.certpath.X509CertPath;
|
||||
import sun.security.provider.certpath.X509CertificatePair;
|
||||
|
|
@ -101,6 +104,8 @@ public class X509Factory extends CertificateFactorySpi {
|
|||
}
|
||||
cert = new X509CertImpl(encoding);
|
||||
addToCache(certCache, cert.getEncodedInternal(), cert);
|
||||
// record cert details if necessary
|
||||
commitEvent(cert);
|
||||
return cert;
|
||||
} else {
|
||||
throw new IOException("Empty input");
|
||||
|
|
@ -762,4 +767,43 @@ public class X509Factory extends CertificateFactorySpi {
|
|||
}
|
||||
return tag;
|
||||
}
|
||||
|
||||
private void commitEvent(X509CertImpl info) {
|
||||
X509CertificateEvent xce = new X509CertificateEvent();
|
||||
if (xce.shouldCommit() || EventHelper.isLoggingSecurity()) {
|
||||
PublicKey pKey = info.getPublicKey();
|
||||
String algId = info.getSigAlgName();
|
||||
String serNum = info.getSerialNumber().toString(16);
|
||||
String subject = info.getSubjectDN().getName();
|
||||
String issuer = info.getIssuerDN().getName();
|
||||
String keyType = pKey.getAlgorithm();
|
||||
int length = KeyUtil.getKeySize(pKey);
|
||||
int hashCode = info.hashCode();
|
||||
long beginDate = info.getNotBefore().getTime();
|
||||
long endDate = info.getNotAfter().getTime();
|
||||
if (xce.shouldCommit()) {
|
||||
xce.algorithm = algId;
|
||||
xce.serialNumber = serNum;
|
||||
xce.subject = subject;
|
||||
xce.issuer = issuer;
|
||||
xce.keyType = keyType;
|
||||
xce.keyLength = length;
|
||||
xce.certificateId = hashCode;
|
||||
xce.validFrom = beginDate;
|
||||
xce.validUntil = endDate;
|
||||
xce.commit();
|
||||
}
|
||||
if (EventHelper.isLoggingSecurity()) {
|
||||
EventHelper.logX509CertificateEvent(algId,
|
||||
serNum,
|
||||
subject,
|
||||
issuer,
|
||||
keyType,
|
||||
length,
|
||||
hashCode,
|
||||
beginDate,
|
||||
endDate);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,7 +29,10 @@ import java.io.IOException;
|
|||
import java.security.InvalidAlgorithmParameterException;
|
||||
import java.security.cert.*;
|
||||
import java.util.*;
|
||||
import java.util.concurrent.atomic.AtomicLong;
|
||||
|
||||
import jdk.internal.event.X509ValidationEvent;
|
||||
import jdk.internal.event.EventHelper;
|
||||
import sun.security.provider.certpath.PKIX.ValidatorParams;
|
||||
import sun.security.validator.Validator;
|
||||
import sun.security.x509.X509CertImpl;
|
||||
|
|
@ -47,6 +50,7 @@ import sun.security.util.Debug;
|
|||
public final class PKIXCertPathValidator extends CertPathValidatorSpi {
|
||||
|
||||
private static final Debug debug = Debug.getInstance("certpath");
|
||||
private static final AtomicLong validationCounter = new AtomicLong();
|
||||
|
||||
/**
|
||||
* Default constructor.
|
||||
|
|
@ -234,7 +238,33 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi {
|
|||
params.certificates(),
|
||||
certPathCheckers);
|
||||
|
||||
X509ValidationEvent xve = new X509ValidationEvent();
|
||||
if (xve.shouldCommit() || EventHelper.isLoggingSecurity()) {
|
||||
int[] certIds = params.certificates().stream()
|
||||
.mapToInt(x -> x.hashCode())
|
||||
.toArray();
|
||||
int anchorCertId =
|
||||
anchor.getTrustedCert().hashCode();
|
||||
if (xve.shouldCommit()) {
|
||||
xve.certificateId = anchorCertId;
|
||||
int certificatePos = 1; //anchor cert
|
||||
xve.certificatePosition = certificatePos;
|
||||
xve.validationCounter = validationCounter.incrementAndGet();
|
||||
xve.commit();
|
||||
// now, iterate through remaining
|
||||
for (int id : certIds) {
|
||||
xve.certificateId = id;
|
||||
xve.certificatePosition = ++certificatePos;
|
||||
xve.commit();
|
||||
|
||||
}
|
||||
}
|
||||
if (EventHelper.isLoggingSecurity()) {
|
||||
EventHelper.logX509ValidationEvent(anchorCertId, certIds);
|
||||
}
|
||||
}
|
||||
return new PKIXCertPathValidatorResult(anchor, pc.getPolicyTree(),
|
||||
bc.getPublicKey());
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -40,6 +40,10 @@ import javax.crypto.Mac;
|
|||
import javax.crypto.SecretKey;
|
||||
import javax.crypto.spec.IvParameterSpec;
|
||||
import javax.crypto.spec.SecretKeySpec;
|
||||
import javax.net.ssl.SSLPeerUnverifiedException;
|
||||
|
||||
import jdk.internal.event.EventHelper;
|
||||
import jdk.internal.event.TLSHandshakeEvent;
|
||||
import sun.security.internal.spec.TlsPrfParameterSpec;
|
||||
import sun.security.ssl.CipherSuite.HashAlg;
|
||||
import static sun.security.ssl.CipherSuite.HashAlg.H_NONE;
|
||||
|
|
@ -548,6 +552,7 @@ final class Finished {
|
|||
|
||||
// handshake context cleanup.
|
||||
chc.handshakeFinished = true;
|
||||
recordEvent(chc.conContext.conSession);
|
||||
|
||||
// May need to retransmit the last flight for DTLS.
|
||||
if (!chc.sslContext.isDTLS()) {
|
||||
|
|
@ -597,6 +602,7 @@ final class Finished {
|
|||
|
||||
// handshake context cleanup.
|
||||
shc.handshakeFinished = true;
|
||||
recordEvent(shc.conContext.conSession);
|
||||
|
||||
// May need to retransmit the last flight for DTLS.
|
||||
if (!shc.sslContext.isDTLS()) {
|
||||
|
|
@ -730,6 +736,8 @@ final class Finished {
|
|||
// handshake context cleanup.
|
||||
chc.handshakeFinished = true;
|
||||
chc.conContext.finishHandshake();
|
||||
recordEvent(chc.conContext.conSession);
|
||||
|
||||
|
||||
// The handshake message has been delivered.
|
||||
return null;
|
||||
|
|
@ -1063,6 +1071,7 @@ final class Finished {
|
|||
if (!shc.sslContext.isDTLS()) {
|
||||
shc.conContext.finishHandshake();
|
||||
}
|
||||
recordEvent(shc.conContext.conSession);
|
||||
|
||||
//
|
||||
// produce
|
||||
|
|
@ -1074,4 +1083,35 @@ final class Finished {
|
|||
|
||||
}
|
||||
}
|
||||
|
||||
private static void recordEvent(SSLSessionImpl session) {
|
||||
TLSHandshakeEvent event = new TLSHandshakeEvent();
|
||||
if (event.shouldCommit() || EventHelper.isLoggingSecurity()) {
|
||||
int peerCertificateId = 0;
|
||||
try {
|
||||
// use hash code for Id
|
||||
peerCertificateId = session
|
||||
.getCertificateChain()[0]
|
||||
.hashCode();
|
||||
} catch (SSLPeerUnverifiedException e) {
|
||||
// not verified msg
|
||||
}
|
||||
if (event.shouldCommit()) {
|
||||
event.peerHost = session.getPeerHost();
|
||||
event.peerPort = session.getPeerPort();
|
||||
event.cipherSuite = session.getCipherSuite();
|
||||
event.protocolVersion = session.getProtocol();
|
||||
event.certificateId = peerCertificateId;
|
||||
event.commit();
|
||||
}
|
||||
if (EventHelper.isLoggingSecurity()) {
|
||||
EventHelper.logTLSHandshakeEvent(null,
|
||||
session.getPeerHost(),
|
||||
session.getPeerPort(),
|
||||
session.getCipherSuite(),
|
||||
session.getProtocol(),
|
||||
peerCertificateId);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue