JDK-8148188 : Enhance the security libraries to record events of interest
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8,11,12
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2016-01-25
  • Updated: 2022-10-03
  • Resolved: 2018-11-20
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 12 JDK 8
11.0.5-oracleFixed 12 b21Fixed 8u231Fixed
Related Reports
Blocks :  
JMC-5561 - Support for Crypto Events in JMC
Blocks :  
JDK-8193397 - Milestone 3: Implementation
Blocks :  
JDK-8203629 - Produce events in the JDK without a dependency on jdk.jfr
Relates :  
JDK-8140423 - Add system property or mechanism to allow customers to test upcoming restrictions
Relates :  
JDK-8234466 - Class loading deadlock involving X509Factory#commitEvent()
Relates :  
JDK-8214161 - java.lang.IllegalAccessError: class jdk.internal.event.X509CertificateEvent (in module java.base) cannot access class jdk.jfr.internal.handlers.EventHandler (in module jdk.jfr) because module java.base does not read module jdk.jfr
Relates :  
JDK-8234468 - Application startup failed on JRE 8u231
Relates :  
JMC-7263 - JMC displaying long value in scientific notation
Relates :  
JDK-8266551 - Improve X509ValidationEvent so that all validation attempts are recorded
Relates :  
JDK-8254711 - Add java.security.Provider.getService JFR Event
Relates :  
JDK-8255348 - NPE in PKIXCertPathValidator event logging code
Relates :  
JDK-8292033 - Move jdk.X509Certificate event logic to JCA layer
Relates :  
JDK-8146635 - Introduce Logger API for security libs diagnostics
Sub Tasks
JDK-8214304 :  
Document the new JFR security Events - Open
JDK-8220239 :  
Release Note: New Java Flight Recorder (JFR) Security Events - Closed
Description
Enhance the security libraries to log usage of weak algorithms, key sizes, protocols and other crypto events of interest.

Via the introduction of JFR Crypto Events (JDK-8186986), security library code could start recording events of particular interest to the JFR recording framework (if enabled).  Code using this new 'EventRuntime' API would be inserted into security library classes and could communicate directly with JFR libraries if present. If not present, we have have stub holders that simply end up logging to the System Logger as a fall back.

Examples of events to record would be :
 * Certificates encountered while setting up a TLS connection
 * TLS protocol version and ciphersuite used for each TLS connection attempt
 * Overriding of default security properties

Once such data is recorded, there's potential for a client tool, coupled with a ruleset to analyze the new events and report back to system administrators about the overall strength of their Java applications with respect to cryptographic standards.
Comments
Fix request: This fix is part of a series of JFR patches that Oracle have integrated into their 11.0.5 update. The series consists of JDK-8203629, JDK-8213172, JDK-8214161 and JDK-8148188. They all apply (in that order, with a little fuzz for JDK-8148188 in src/java.base/share/classes/java/security/Security.java) and tests at the SAP test system show no regressions. So requesting backport approval for 11u.
08-06-2019
URL: http://hg.openjdk.java.net/jdk/jdk/rev/f7309a1491d9 User: coffeys Date: 2018-11-20 13:15:03 +0000
20-11-2018