JDK-8148188 : Enhance the security libraries to record events of interest
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8,11,12
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2016-01-25
  • Updated: 2020-10-23
  • Resolved: 2018-11-20
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 12 JDK 8
11.0.5Fixed 12 b21Fixed 8u231Fixed
Related Reports
Blocks :  
Blocks :  
Blocks :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Sub Tasks
JDK-8214304 :  
JDK-8220239 :  
Description
Enhance the security libraries to log usage of weak algorithms, key sizes, protocols and other crypto events of interest.

Via the introduction of JFR Crypto Events (JDK-8186986), security library code could start recording events of particular interest to the JFR recording framework (if enabled).  Code using this new 'EventRuntime' API would be inserted into security library classes and could communicate directly with JFR libraries if present. If not present, we have have stub holders that simply end up logging to the System Logger as a fall back.

Examples of events to record would be :
 * Certificates encountered while setting up a TLS connection
 * TLS protocol version and ciphersuite used for each TLS connection attempt
 * Overriding of default security properties

Once such data is recorded, there's potential for a client tool, coupled with a ruleset to analyze the new events and report back to system administrators about the overall strength of their Java applications with respect to cryptographic standards. 
Comments
Fix request: This fix is part of a series of JFR patches that Oracle have integrated into their 11.0.5 update. The series consists of JDK-8203629, JDK-8213172, JDK-8214161 and JDK-8148188. They all apply (in that order, with a little fuzz for JDK-8148188 in src/java.base/share/classes/java/security/Security.java) and tests at the SAP test system show no regressions. So requesting backport approval for 11u.
08-06-2019