Log registered TLS providers on attach

Logs the providers registered for SSLContext.TLS in priority order when
the agent loads, helping diagnose cases where an unsupported provider is
active. Warns if the first (active) provider is not known to this tool.

Test coverage added to the integration test suite via check_provider_logs,
which asserts the log line is present after each server start.

Author: neykov

src/main/java/name/neykov/secrets/agent/AgentMain.java

@@ -8,6 +8,8 @@
 import java.net.MalformedURLException;
 import java.net.URISyntaxException;
 import java.net.URL;
+import java.security.Provider;
+import java.security.Security;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -17,6 +19,7 @@
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.net.ssl.SSLEngine;
+import name.neykov.secrets.Java6Compat;
 
 /** Entry point of the agent. Loaded in the "App" class loader */
 public class AgentMain {
@@ -150,6 +153,8 @@ private static void attach(String agentArgs, Instrumentation inst, File jarFile)
 
         inst.addTransformer(new Transformer(), true);
 
+        logSecurityProviders();
+
         log.info(
                 "Successfully attached agent "
                         + jarFile
@@ -158,6 +163,28 @@ private static void attach(String agentArgs, Instrumentation inst, File jarFile)
                         + ". ");
     }
 
+    private static void logSecurityProviders() {
+        Provider[] sslProviders = Security.getProviders("SSLContext.TLS");
+        if (sslProviders == null || sslProviders.length == 0) {
+            log.warning("No provider found for SSLContext.TLS — TLS secrets will not be captured.");
+            return;
+        }
+        String[] names = new String[sslProviders.length];
+        for (int i = 0; i < sslProviders.length; i++) {
+            names[i] = sslProviders[i].getName() + " " + sslProviders[i].getVersion();
+        }
+        log.info("Registered TLS providers: " + Java6Compat.join(", ", names));
+
+        String activeSslProvider = sslProviders[0].getName();
+        if (!activeSslProvider.equals("SunJSSE") && !activeSslProvider.equals("BCJSSE")) {
+            log.warning(
+                    "TLS provider '"
+                            + activeSslProvider
+                            + "' is not supported by this tool."
+                            + " TLS secrets will not be captured.");
+        }
+    }
+
     private static void openBaseModule(Instrumentation inst) {
         Method getModule;
         try {

src/test/docker/test.sh

@@ -115,6 +115,15 @@ start_server() {
     docker exec ssl-secrets-server java -jar /project/$JAR_PATH list
     docker exec ssl-secrets-server java -jar /project/$JAR_PATH 1 /secrets/server.keys
   fi
+  check_provider_logs "$provider" "$INJECT_TYPE"
+}
+
+# Assert agent logged expected security provider diagnostics.
+# Usage: check_provider_logs <provider> <inject_type>
+check_provider_logs() {
+  local provider="$1" inject_type="$2"
+  local ssl_provider
+  wait_for_log ssl-secrets-server "Registered TLS providers"
 }
 
 # Verify that a captured pcap can be decrypted using the given keylog file.