Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-5068640

PKIXValidator throws RuntimeException when empty KeyStore is used

    Details

    • Subcomponent:
    • CPU:
      generic
    • OS:
      generic, solaris_nevada

      Description

      When a KeyStore without any certificates is used as the source of trust anchors for sun.security.validator.PKIXValidator, its validate() method throws a RuntimeException instead the expected CertificateException (it should be: "sun.security.validator.ValidatorException: No trusted certificate found"). This makes it difficult to diagnose e.g. a JSSE configuration problem.

      A sample JSSE stack trace is:

      Exception in thread "main" javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
      at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1443)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1426)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1045)
      at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:405)
      at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:841)
      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
      at java.net.URL.openStream(URL.java:1007)
      at Test.main(Test.java:13)
      Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
      at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:56)
      at sun.security.validator.Validator.getInstance(Validator.java:146)
      at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:105)
      at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:167)
      at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:836)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
      at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
      at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
      ... 6 more
      Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
      at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:183)
      at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:103)
      at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:87)
      at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:54)
      ... 17 more

        Attachments

          Activity

            People

            • Assignee:
              juh Jason Uh (Inactive)
              Reporter:
              andreas Andreas Sterbenz
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Imported:
                Indexed: