From 87b809a2cb43d8717105ece5b812efc11ec5c539 Mon Sep 17 00:00:00 2001 From: Erik Gahlin Date: Fri, 11 Nov 2022 14:55:41 +0000 Subject: [PATCH] 8296229: JFR: jfr tool should print unsigned values correctly Reviewed-by: coffeys, mgronlun --- .../jdk/internal/event/EventHelper.java | 12 ++--- .../classes/sun/security/jca/JCAUtil.java | 5 ++- .../certpath/PKIXCertPathValidator.java | 11 ++--- .../classes/sun/security/ssl/Finished.java | 5 ++- .../jdk/jfr/events/TLSHandshakeEvent.java | 4 +- .../jdk/jfr/events/X509CertificateEvent.java | 3 +- .../jdk/jfr/events/X509ValidationEvent.java | 3 +- .../jfr/internal/tool/EventPrintWriter.java | 45 ++++++++++++++----- .../event/security/TestTLSHandshakeEvent.java | 2 +- .../security/TestX509ValidationEvent.java | 5 ++- test/jdk/jdk/jfr/tool/TestPrintXML.java | 4 ++ .../security/logging/TestTLSHandshakeLog.java | 6 +-- test/lib/jdk/test/lib/json/JSONValue.java | 3 +- .../test/lib/security/TestCertificate.java | 4 +- .../test/lib/security/TestTLSHandshake.java | 6 +-- 15 files changed, 77 insertions(+), 41 deletions(-) diff --git a/src/java.base/share/classes/jdk/internal/event/EventHelper.java b/src/java.base/share/classes/jdk/internal/event/EventHelper.java index 40f34f7787d..e890ad8dde0 100644 --- a/src/java.base/share/classes/jdk/internal/event/EventHelper.java +++ b/src/java.base/share/classes/jdk/internal/event/EventHelper.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -34,7 +34,7 @@ import java.time.Duration; import java.time.Instant; import java.util.Date; import java.util.stream.Collectors; -import java.util.stream.IntStream; +import java.util.stream.LongStream; /** * A helper class to have events logged to a JDK Event Logger. @@ -82,11 +82,11 @@ public final class EventHelper { "SecurityPropertyModification: key:{0}, value:{1}", key, value); } - public static void logX509ValidationEvent(int anchorCertId, - int[] certIds) { + public static void logX509ValidationEvent(long anchorCertId, + long[] certIds) { assert securityLogger != null; - String codes = IntStream.of(certIds) - .mapToObj(Integer::toString) + String codes = LongStream.of(certIds) + .mapToObj(Long::toString) .collect(Collectors.joining(", ")); securityLogger.log(LOG_LEVEL, "ValidationChain: {0,number,#}, {1}", anchorCertId, codes); diff --git a/src/java.base/share/classes/sun/security/jca/JCAUtil.java b/src/java.base/share/classes/sun/security/jca/JCAUtil.java index cab6f6250a5..9afc4ca12c0 100644 --- a/src/java.base/share/classes/sun/security/jca/JCAUtil.java +++ b/src/java.base/share/classes/sun/security/jca/JCAUtil.java @@ -110,6 +110,7 @@ public final class JCAUtil { String keyType = pKey.getAlgorithm(); int length = KeyUtil.getKeySize(pKey); int hashCode = x509.hashCode(); + long certifcateId = Integer.toUnsignedLong(hashCode); long beginDate = x509.getNotBefore().getTime(); long endDate = x509.getNotAfter().getTime(); if (X509CertificateEvent.isTurnedOn()) { @@ -120,7 +121,7 @@ public final class JCAUtil { xce.issuer = issuer; xce.keyType = keyType; xce.keyLength = length; - xce.certificateId = hashCode; + xce.certificateId = certifcateId; xce.validFrom = beginDate; xce.validUntil = endDate; xce.commit(); @@ -132,7 +133,7 @@ public final class JCAUtil { issuer, keyType, length, - hashCode, + certifcateId, beginDate, endDate); } diff --git a/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java b/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java index 0454d84ac46..270d10e82fa 100644 --- a/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java +++ b/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -227,11 +227,13 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi { X509ValidationEvent xve = new X509ValidationEvent(); if (xve.shouldCommit() || EventHelper.isLoggingSecurity()) { - int[] certIds = params.certificates().stream() + long[] certIds = params.certificates().stream() .mapToInt(Certificate::hashCode) + .mapToLong(Integer::toUnsignedLong) .toArray(); - int anchorCertId = (anchorCert != null) ? + int hash = (anchorCert != null) ? anchorCert.hashCode() : anchor.getCAPublicKey().hashCode(); + long anchorCertId = Integer.toUnsignedLong(hash); if (xve.shouldCommit()) { xve.certificateId = anchorCertId; int certificatePos = 1; // most trusted CA @@ -239,11 +241,10 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi { xve.validationCounter = validationCounter.incrementAndGet(); xve.commit(); // now, iterate through remaining - for (int id : certIds) { + for (long id : certIds) { xve.certificateId = id; xve.certificatePosition = ++certificatePos; xve.commit(); - } } if (EventHelper.isLoggingSecurity()) { diff --git a/src/java.base/share/classes/sun/security/ssl/Finished.java b/src/java.base/share/classes/sun/security/ssl/Finished.java index 22748fe85e2..604a15fe1a6 100644 --- a/src/java.base/share/classes/sun/security/ssl/Finished.java +++ b/src/java.base/share/classes/sun/security/ssl/Finished.java @@ -1146,15 +1146,16 @@ final class Finished { private static void recordEvent(SSLSessionImpl session) { TLSHandshakeEvent event = new TLSHandshakeEvent(); if (event.shouldCommit() || EventHelper.isLoggingSecurity()) { - int peerCertificateId = 0; + int hash = 0; try { // use hash code for Id - peerCertificateId = session + hash = session .getCertificateChain()[0] .hashCode(); } catch (SSLPeerUnverifiedException e) { // not verified msg } + long peerCertificateId = Integer.toUnsignedLong(hash); if (event.shouldCommit()) { event.peerHost = session.getPeerHost(); event.peerPort = session.getPeerPort(); diff --git a/src/jdk.jfr/share/classes/jdk/jfr/events/TLSHandshakeEvent.java b/src/jdk.jfr/share/classes/jdk/jfr/events/TLSHandshakeEvent.java index e45d491ce77..6bcbe9ab393 100644 --- a/src/jdk.jfr/share/classes/jdk/jfr/events/TLSHandshakeEvent.java +++ b/src/jdk.jfr/share/classes/jdk/jfr/events/TLSHandshakeEvent.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,6 +29,7 @@ import jdk.jfr.Category; import jdk.jfr.Description; import jdk.jfr.Label; import jdk.jfr.Name; +import jdk.jfr.Unsigned; import jdk.jfr.internal.MirrorEvent; @Category({"Java Development Kit", "Security"}) @@ -52,5 +53,6 @@ public final class TLSHandshakeEvent extends AbstractJDKEvent { @Label("Certificate Id") @Description("Peer Certificate Id") @CertificateId + @Unsigned public long certificateId; } diff --git a/src/jdk.jfr/share/classes/jdk/jfr/events/X509CertificateEvent.java b/src/jdk.jfr/share/classes/jdk/jfr/events/X509CertificateEvent.java index 7efb5d6d804..bebff12c32d 100644 --- a/src/jdk.jfr/share/classes/jdk/jfr/events/X509CertificateEvent.java +++ b/src/jdk.jfr/share/classes/jdk/jfr/events/X509CertificateEvent.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -54,6 +54,7 @@ public final class X509CertificateEvent extends AbstractJDKEvent { @Label("Certificate Id") @CertificateId + @Unsigned public long certificateId; @Label("Valid From") diff --git a/src/jdk.jfr/share/classes/jdk/jfr/events/X509ValidationEvent.java b/src/jdk.jfr/share/classes/jdk/jfr/events/X509ValidationEvent.java index dd93510b30c..a17c90d1f74 100644 --- a/src/jdk.jfr/share/classes/jdk/jfr/events/X509ValidationEvent.java +++ b/src/jdk.jfr/share/classes/jdk/jfr/events/X509ValidationEvent.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -36,6 +36,7 @@ import jdk.jfr.internal.MirrorEvent; public final class X509ValidationEvent extends AbstractJDKEvent { @CertificateId @Label("Certificate Id") + @Unsigned public long certificateId; @Label("Certificate Position") diff --git a/src/jdk.jfr/share/classes/jdk/jfr/internal/tool/EventPrintWriter.java b/src/jdk.jfr/share/classes/jdk/jfr/internal/tool/EventPrintWriter.java index a6c92761a57..d87579b60cd 100644 --- a/src/jdk.jfr/share/classes/jdk/jfr/internal/tool/EventPrintWriter.java +++ b/src/jdk.jfr/share/classes/jdk/jfr/internal/tool/EventPrintWriter.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, 2021, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,6 +28,7 @@ package jdk.jfr.internal.tool; import java.io.FileNotFoundException; import java.io.IOException; import java.io.PrintWriter; +import java.math.BigInteger; import java.nio.file.Path; import java.util.ArrayList; import java.util.HashMap; @@ -38,6 +39,7 @@ import java.util.function.Predicate; import jdk.jfr.EventType; import jdk.jfr.Timespan; import jdk.jfr.Timestamp; +import jdk.jfr.Unsigned; import jdk.jfr.ValueDescriptor; import jdk.jfr.consumer.RecordedEvent; import jdk.jfr.consumer.RecordedObject; @@ -47,7 +49,7 @@ import jdk.jfr.internal.consumer.JdkJfrConsumer; abstract class EventPrintWriter extends StructuredWriter { enum ValueType { - TIMESPAN, TIMESTAMP, OTHER + TIMESPAN, TIMESTAMP, UNSIGNED, OTHER } protected static final String STACK_TRACE_FIELD = "stackTrace"; @@ -118,16 +120,31 @@ abstract class EventPrintWriter extends StructuredWriter { valueType = determineValueType(v); typeOfValues.put(v, valueType); } - switch (valueType) { - case TIMESPAN: - return object.getDuration(v.getName()); - case TIMESTAMP: - return PRIVATE_ACCESS.getOffsetDataTime(object, v.getName()); - default: - return object.getValue(v.getName()); - } + String name = v.getName(); + return switch (valueType) { + case TIMESPAN -> object.getDuration(name); + case TIMESTAMP -> PRIVATE_ACCESS.getOffsetDataTime(object, name); + case UNSIGNED -> getUnsigned(object, name); + case OTHER -> object.getValue(name); + }; } - // It's expensive t check + + private Object getUnsigned(RecordedObject object, String name) { + // RecordedObject::getLong handles unsigned byte, short, int + long value = object.getLong(name); + // If unsigned long value exceeds 2^63, return (upper << 32) + lower + if (value < 0) { + int upper = (int) (value >>> 32); + int lower = (int) value; + BigInteger u = BigInteger.valueOf(Integer.toUnsignedLong(upper)); + u = u.shiftLeft(32); + BigInteger l = BigInteger.valueOf(Integer.toUnsignedLong(lower)); + return u.add(l); + } + return Long.valueOf(value); + } + + // Somewhat expensive operation private ValueType determineValueType(ValueDescriptor v) { if (v.getAnnotation(Timespan.class) != null) { return ValueType.TIMESPAN; @@ -135,6 +152,12 @@ abstract class EventPrintWriter extends StructuredWriter { if (v.getAnnotation(Timestamp.class) != null) { return ValueType.TIMESTAMP; } + if (v.getAnnotation(Unsigned.class) != null) { + return switch(v.getTypeName()) { + case "byte", "short", "int", "long" -> ValueType.UNSIGNED; + default -> ValueType.OTHER; + }; + } return ValueType.OTHER; } } diff --git a/test/jdk/jdk/jfr/event/security/TestTLSHandshakeEvent.java b/test/jdk/jdk/jfr/event/security/TestTLSHandshakeEvent.java index 4565e553362..48e1fdfdd59 100644 --- a/test/jdk/jdk/jfr/event/security/TestTLSHandshakeEvent.java +++ b/test/jdk/jdk/jfr/event/security/TestTLSHandshakeEvent.java @@ -61,7 +61,7 @@ public class TestTLSHandshakeEvent { if (handshake.peerHost.equals(e.getString("peerHost"))) { Events.assertField(e, "peerPort").equal(handshake.peerPort); Events.assertField(e, "protocolVersion").equal(handshake.protocolVersion); - Events.assertField(e, "certificateId").equal(TestTLSHandshake.HASHCODE); + Events.assertField(e, "certificateId").equal(TestTLSHandshake.CERT_ID); Events.assertField(e, "cipherSuite").equal(TestTLSHandshake.CIPHER_SUITE); return; } diff --git a/test/jdk/jdk/jfr/event/security/TestX509ValidationEvent.java b/test/jdk/jdk/jfr/event/security/TestX509ValidationEvent.java index 816b8220ed7..651a6390f68 100644 --- a/test/jdk/jdk/jfr/event/security/TestX509ValidationEvent.java +++ b/test/jdk/jdk/jfr/event/security/TestX509ValidationEvent.java @@ -128,8 +128,9 @@ public class TestX509ValidationEvent { switch (pos) { // use public key of cert provided in TrustAnchor case 1: - Asserts.assertEquals(e.getLong("certificateId"), - Long.valueOf(TestCertificate.ROOT_CA.certificate().getPublicKey().hashCode())); + int hash = TestCertificate.ROOT_CA.certificate().getPublicKey().hashCode(); + Long id = Integer.toUnsignedLong(hash); + Asserts.assertEquals(e.getLong("certificateId"), id); break; case 2: Events.assertField(e, "certificateId") diff --git a/test/jdk/jdk/jfr/tool/TestPrintXML.java b/test/jdk/jdk/jfr/tool/TestPrintXML.java index 1df9b77f551..d32dc3236ae 100644 --- a/test/jdk/jdk/jfr/tool/TestPrintXML.java +++ b/test/jdk/jdk/jfr/tool/TestPrintXML.java @@ -52,6 +52,7 @@ import org.xml.sax.helpers.DefaultHandler; import jdk.jfr.Timespan; import jdk.jfr.Timestamp; +import jdk.jfr.Unsigned; import jdk.jfr.ValueDescriptor; import jdk.jfr.consumer.RecordedEvent; import jdk.jfr.consumer.RecordedObject; @@ -149,6 +150,9 @@ public class TestPrintXML { if (v.getAnnotation(Timespan.class) != null) { expectedValue = re.getDuration(name); } + if (expectedValue instanceof Number && v.getAnnotation(Unsigned.class) != null) { + expectedValue = Long.toUnsignedString(re.getLong(name)); + } if (!compare(expectedValue, xmlValue)) { return false; } diff --git a/test/jdk/jdk/security/logging/TestTLSHandshakeLog.java b/test/jdk/jdk/security/logging/TestTLSHandshakeLog.java index 086709dd95f..db34fb113d6 100644 --- a/test/jdk/jdk/security/logging/TestTLSHandshakeLog.java +++ b/test/jdk/jdk/security/logging/TestTLSHandshakeLog.java @@ -40,12 +40,12 @@ public class TestTLSHandshakeLog { l.addExpected("Subject:CN=Regression Test"); l.addExpected("Key type:EC, Length:256"); l.addExpected("FINE: ValidationChain: " + - TestTLSHandshake.ANCHOR_HASHCODE + - ", " + TestTLSHandshake.HASHCODE); + TestTLSHandshake.ANCHOR_CERT_ID + + ", " + TestTLSHandshake.CERT_ID); l.addExpected("SunJSSE Test Serivce"); l.addExpected("TLSHandshake:"); l.addExpected("TLSv1.2"); - l.addExpected(TestTLSHandshake.CIPHER_SUITE +", " + TestTLSHandshake.HASHCODE); + l.addExpected(TestTLSHandshake.CIPHER_SUITE +", " + TestTLSHandshake.CERT_ID); l.testExpected(); } diff --git a/test/lib/jdk/test/lib/json/JSONValue.java b/test/lib/jdk/test/lib/json/JSONValue.java index d1092f06c3e..f89d13b3bba 100644 --- a/test/lib/jdk/test/lib/json/JSONValue.java +++ b/test/lib/jdk/test/lib/json/JSONValue.java @@ -22,6 +22,7 @@ */ package jdk.test.lib.json; +import java.math.BigInteger; import java.util.ArrayList; import java.util.HashMap; import java.util.Iterator; @@ -317,7 +318,7 @@ public interface JSONValue { var value = builder.toString(); if (isInteger) { - Long.parseLong(value); + new BigInteger(value); return new JSONString(value); } else { Double.parseDouble(value); diff --git a/test/lib/jdk/test/lib/security/TestCertificate.java b/test/lib/jdk/test/lib/security/TestCertificate.java index 914247e23f8..e5a2f5f42f2 100644 --- a/test/lib/jdk/test/lib/security/TestCertificate.java +++ b/test/lib/jdk/test/lib/security/TestCertificate.java @@ -139,13 +139,13 @@ public enum TestCertificate { public String encoded; TestCertificate(String serialNumber, String subject, String issuer, - long certId, String encoded) { + int hash, String encoded) { this.serialNumber = serialNumber; this.subject = subject; this.issuer = issuer; this.algorithm = "SHA256withRSA"; this.encoded = encoded; - this.certId = certId; + this.certId = Integer.toUnsignedLong(hash); this.keyType = "RSA"; this.keyLength = 2048; } diff --git a/test/lib/jdk/test/lib/security/TestTLSHandshake.java b/test/lib/jdk/test/lib/security/TestTLSHandshake.java index 309a3f8ef2c..ea5cadd6463 100644 --- a/test/lib/jdk/test/lib/security/TestTLSHandshake.java +++ b/test/lib/jdk/test/lib/security/TestTLSHandshake.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,8 +33,8 @@ public final class TestTLSHandshake extends SSLSocketTest { public static final String CIPHER_SUITE = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"; - public static final long HASHCODE = -1057291798L; - public static final long ANCHOR_HASHCODE = 1688661792L; + public static final long CERT_ID = Integer.toUnsignedLong(-1057291798); + public static final long ANCHOR_CERT_ID = Integer.toUnsignedLong(1688661792); public static final String CERT_SERIAL = "edbec8f705af2514"; public static final String ANCHOR_CERT_SERIAL = "8e191778b2f331be";