Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6882437

CertPath/X509CertPathDiscovery/Test fails on jdk7/pit/b62

    Details

    • Subcomponent:
    • Resolved In Build:
      b140
    • CPU:
      generic
    • OS:
      generic
    • Verification:
      Not verified

      Description

      Here is the steps to reproduce this issue with simplified code:
      nc150145@jck-win1: /net/sqenfs-1/export1/comp/jsn/users/evergreen/wzhu/CertPathBuilderTest $ cd
      nc150145@jck-win1: ~ $ cd /net/sqenfs-1/export1/comp/jsn/users/evergreen/wzhu/CertPathBuilderTest
      nc150145@jck-win1: /net/sqenfs-1/export1/comp/jsn/users/evergreen/wzhu/CertPathBuilderTest $ /net/bonsai.sfbay/w/builds/jdk/7/pit/b62/linux-i586/jdk1.7.0/bin/java -Djava.security.debug=certpath CertPathBuilderTest > log 2>&1

      (The test files above have also been attached)

      Contents of log file:
      certpath: SunCertPathBuilder.engineBuild([
      [
        Trust Anchors: [[
        Trusted CA cert: [
      [
        Version: V3
        Subject: CN=Basic Directory Trust Anchor, O=Test Certificates, C=US
        Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

        Key: Sun RSA public key, 1024 bits
        modulus: 102391465275516912515563344486897643382501239620727094556425568251165876499366868672228779562455879074900749139652718414771482522558763730199427986645279821876687173212631326484084739663485019004874099200404174025518597704524859078666183130082346730033312332727183071944363575576029991275390212601756167201041
        public exponent: 65537
        Validity: [From: Fri May 27 07:57:20 PDT 2005,
                     To: Wed Aug 19 07:57:20 PDT 2015]
        Issuer: CN=Basic Directory Trust Anchor, O=Test Certificates, C=US
        SerialNumber: [ 01]

      Certificate Extensions: 3
      [1]: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: D6 42 7A 0E A3 07 B0 FC 23 93 B4 4D 9C F6 8B 22 .Bz.....#..M..."
      0010: C8 0F 89 40 ...@
      ]
      ]

      [2]: ObjectId: 2.5.29.15 Criticality=true
      KeyUsage [
        Key_CertSign
        Crl_Sign
      ]

      [3]: ObjectId: 2.5.29.19 Criticality=true
      BasicConstraints:[
        CA:true
        PathLen:2147483647
      ]

      ]
        Algorithm: [SHA1withRSA]
        Signature:
      0000: 64 1F CB 0F D1 43 AF 0F A7 07 F7 2B 16 C9 BA 49 d....C.....+...I
      0010: D8 E6 23 42 79 76 ED 36 56 B6 A3 C2 75 91 42 88 ..#Byv.6V...u.B.
      0020: 76 C7 5A 29 E1 EE 0B DC 9C 24 E6 B5 04 F4 E0 91 v.Z).....$......
      0030: EC C4 79 85 1E 8A 59 ED 92 5B B3 74 16 BB A4 95 ..y...Y..[.t....
      0040: DE 95 61 64 26 E6 41 EE 9B 84 6F 7D 74 85 53 C0 ..ad&.A...o.t.S.
      0050: 67 FF 2A 8B FA AD 8A 45 9C 32 7E 63 34 17 DC 89 g.*....E.2.c4...
      0060: D5 76 B7 27 56 5F 1A CC D2 C9 79 4F 52 0A 42 B8 .v.'V_....yOR.B.
      0070: AF 7C 13 43 57 92 53 D2 BC 8A 50 0E 02 72 27 9E ...CW.S...P..r'.

      ]
      ]
        Initial Policy OIDs: any
        Validity Date: null
        Signature Provider: null
        Default Revocation Enabled: true
        Explicit Policy Required: false
        Policy Mapping Inhibited: false
        Any Policy Inhibited: false
        Policy Qualifiers Rejected: true
        Target Cert Constraints: X509CertSelector: [
        Certificate: [
      [
        Version: V3
        Subject: CN=Rudimentary Directory Path Discovery EE Certificate Test3, O=Test Certificates, C=US
        Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

        Key: Sun RSA public key, 1024 bits
        modulus: 139485484259931312516558345506821078592151471346206541571813337285964821607575479473483893979967518662324063162436502476569672163661426180040563179700700363523853663568592534882919635297859277019768818638633799785871215311978897795119777412529784691652591105290326142317468815373794875687792061697615535443343
        public exponent: 65537
        Validity: [From: Fri May 27 07:57:20 PDT 2005,
                     To: Wed Aug 19 07:57:20 PDT 2015]
        Issuer: CN=Basic Directory Trust Anchor SubCA3, O=Test Certificates, C=US
        SerialNumber: [ 01]

      Certificate Extensions: 5
      [1]: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: 8E E6 88 2D A1 8E D9 42 1B 79 97 2D BE 6D 70 59 ...-...B.y.-.mpY
      0010: 49 95 FF A7 I...
      ]
      ]

      [2]: ObjectId: 2.5.29.35 Criticality=false
      AuthorityKeyIdentifier [
      KeyIdentifier [
      0000: 28 C6 CC A1 F6 0C 27 6C F6 FF 88 42 FB 9A B1 5A (.....'l...B...Z
      0010: 3E 9F 00 D8 >...
      ]
      ]

      [3]: ObjectId: 2.5.29.17 Criticality=false
      SubjectAlternativeName [
        RFC822Name: ###@###.###
      ]

      [4]: ObjectId: 2.5.29.32 Criticality=false
      CertificatePolicies [
        [CertificatePolicyId: [2.16.840.1.101.3.2.1.48.1]
      [] ]
      ]

      [5]: ObjectId: 2.5.29.15 Criticality=true
      KeyUsage [
        DigitalSignature
        Non_repudiation
        Key_Encipherment
        Data_Encipherment
      ]

      ]
        Algorithm: [SHA1withRSA]
        Signature:
      0000: 83 EA EF F6 BF 17 36 F6 55 9B BF 6A 42 6E E2 E3 ......6.U..jBn..
      0010: 67 8B F7 FF CC 88 1B 2D 9C 29 03 42 E0 5D F0 2E g......-.).B.]..
      0020: 6A 6D 30 B6 F4 3F C2 C5 78 E1 97 93 55 49 34 F5 jm0..?..x...UI4.
      0030: F4 37 58 C5 86 9C 1C A9 35 68 57 D8 AF AA B9 F5 .7X.....5hW.....
      0040: BC E9 CC EE CC 76 F1 F2 70 1A 0F C5 95 42 3F D6 .....v..p....B?.
      0050: 98 B7 73 7E CE 6B 52 0E 58 BA D2 79 BB 9D E2 78 ..s..kR.X..y...x
      0060: 6B F9 A7 08 B3 E1 3A 82 10 08 A1 E1 5E 7A AA 0B k.....:.....^z..
      0070: FD 41 4A 9E AF 47 37 51 2F DB F5 6C 17 51 1A 1B .AJ..G7Q/..l.Q..

      ]
        matchAllSubjectAltNames flag: true
      ]
        Certification Path Checkers: [[]]
        CertStores: [[java.security.cert.CertStore@3ecfff]]
      ] Maximum Path Length: 5
      ]
      )
      certpath: SunCertPathBuilder.buildForward()...
      certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Rudimentary Directory Path Discovery EE Certificate Test3, O=Test Certificates, C=US, State [
        issuerDN of last cert: null
        traversedCACerts: 0
        init: true
        keyParamsNeeded: false
        subjectNamesTraversed:
      []]
      )
      certpath: ForwardBuilder.getMatchingCerts()...
      certpath: ForwardBuilder.getMatchingEECerts()...
      certpath: X509CertSelector.match(SN: 1
        Issuer: CN=Basic Directory Trust Anchor SubCA3, O=Test Certificates, C=US
        Subject: CN=Rudimentary Directory Path Discovery EE Certificate Test3, O=Test Certificates, C=US)
      certpath: X509CertSelector.match returning: true
      certpath: Builder.addMatchingCerts: adding target cert
      certpath: ForwardBuilder.getMatchingCACerts()...
      certpath: ForwardBuilder.getMatchingCACerts(): ca is target
      certpath: X509CertSelector.match(SN: 1
        Issuer: CN=Basic Directory Trust Anchor, O=Test Certificates, C=US
        Subject: CN=Basic Directory Trust Anchor, O=Test Certificates, C=US)
      certpath: X509CertSelector.match: certs don't match
      certpath: X509CertSelector.match(SN: 1
        Issuer: CN=Basic Directory Trust Anchor SubCA3, O=Test Certificates, C=US
        Subject: CN=Rudimentary Directory Path Discovery EE Certificate Test3, O=Test Certificates, C=US)
      certpath: X509CertSelector.match: maxPathLen too small (-1 < 0)
      certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
      certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=1
      certpath: ForwardBuilder.verifyCert(SN: 01
        Issuer: CN=Basic Directory Trust Anchor SubCA3, O=Test Certificates, C=US)
        Subject: CN=Rudimentary Directory Path Discovery EE Certificate Test3, O=Test Certificates, C=US)
      certpath: SunCertPathBuilder.depthFirstSearchForward(CN=Basic Directory Trust Anchor SubCA3, O=Test Certificates, C=US, State [
        issuerDN of last cert: CN=Basic Directory Trust Anchor SubCA3, O=Test Certificates, C=US
        traversedCACerts: 0
        init: false
        keyParamsNeeded: false
        subjectNamesTraversed:
      [RFC822Name: ###@###.###, CN=Rudimentary Directory Path Discovery EE Certificate Test3, O=Test Certificates, C=US]]
      )
      certpath: ForwardBuilder.getMatchingCerts()...
      certpath: ForwardBuilder.getMatchingCACerts()...
      certpath: X509CertSelector.match(SN: 1
        Issuer: CN=Basic Directory Trust Anchor, O=Test Certificates, C=US
        Subject: CN=Basic Directory Trust Anchor, O=Test Certificates, C=US)
      certpath: X509CertSelector.match: subject DNs don't match
      certpath: LDAPCertStore.engineGetCertificates() selector: X509CertSelector: [
        Subject: CN=Basic Directory Trust Anchor SubCA3,O=Test Certificates,C=US
        matchAllSubjectAltNames flag: true
        Certificate Valid: Tue Sep 15 20:15:45 PDT 2009
        Path to names:
          RFC822Name: ###@###.###
          CN=Rudimentary Directory Path Discovery EE Certificate Test3, O=Test Certificates, C=US
      ]
      certpath: LDAPCertStore.engineGetCertificates() basicConstraints: 0
      certpath: LDAPCertStore.engineGetCertificates() subject is not null
      certpath: X509CertSelector.match(SN: 6
        Issuer: CN=Basic Directory Trust Anchor, O=Test Certificates, C=US
        Subject: CN=Basic Directory Trust Anchor SubCA3, O=Test Certificates, C=US)
      certpath: X509CertSelector.match returning: true
      certpath: X509CertSelector.match(SN: 7
        Issuer: CN=Basic Directory Trust Anchor, O=Test Certificates, C=US
        Subject: CN=Basic Directory Trust Anchor SubCA3, O=Test Certificates, C=US)
      certpath: X509CertSelector.match returning: true
      certpath: LDAPCertStore.engineGetCertificates() after getMatchingCrossCerts(subject,xsel,null),certs.size(): 2
      certpath: X509CertSelector.match(SN: 6
        Issuer: CN=Basic Directory Trust Anchor, O=Test Certificates, C=US
        Subject: CN=Basic Directory Trust Anchor SubCA3, O=Test Certificates, C=US)
      certpath: X509CertSelector.match returning: true
      certpath: X509CertSelector.match(SN: 7
        Issuer: CN=Basic Directory Trust Anchor, O=Test Certificates, C=US
        Subject: CN=Basic Directory Trust Anchor SubCA3, O=Test Certificates, C=US)
      certpath: X509CertSelector.match returning: true
      certpath: LDAPCertStore.engineGetCertificates() after getCertificates(subject,CA_CERT,xsel),certs.size(): 2
      certpath: LDAPCertStore.engineGetCertificates() about to getMatchingCrossCerts...
      certpath: LDAPCertStore.engineGetCertificates() returning certs
      certpath: PKIXCertComparator.compare() o1 Issuer: CN=Basic Directory Trust Anchor, O=Test Certificates, C=US
      certpath: PKIXCertComparator.compare() o2 Issuer: CN=Basic Directory Trust Anchor, O=Test Certificates, C=US
      certpath: PKIXCertComparator.compare() MATCH TRUSTED SUBJECT TEST...
      certpath: PKIXCertComparator.compare() m1: true
      certpath: PKIXCertComparator.compare() m2: true
      certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=2
      certpath: ForwardBuilder.verifyCert(SN: 07
        Issuer: CN=Basic Directory Trust Anchor, O=Test Certificates, C=US)
        Subject: CN=Basic Directory Trust Anchor SubCA3, O=Test Certificates, C=US)
      certpath: policyMappingFound = false
      certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage...
      certpath: KeyChecker.verifyCAKeyUsage() CA key usage verified.
      certpath: CrlRevocationChecker.verifyRevocationStatus() ---checking revocation status...
      certpath: LDAPCertStore.engineGetCRLs() selector: X509CRLSelector: [
        dateAndTime: Tue Sep 15 20:15:45 PDT 2009
        Certificate being checked: [
      [
        Version: V3
        Subject: CN=Rudimentary Directory Path Discovery EE Certificate Test3, O=Test Certificates, C=US
        Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

        Key: Sun RSA public key, 1024 bits
        modulus: 139485484259931312516558345506821078592151471346206541571813337285964821607575479473483893979967518662324063162436502476569672163661426180040563179700700363523853663568592534882919635297859277019768818638633799785871215311978897795119777412529784691652591105290326142317468815373794875687792061697615535443343
        public exponent: 65537
        Validity: [From: Fri May 27 07:57:20 PDT 2005,
                     To: Wed Aug 19 07:57:20 PDT 2015]
        Issuer: CN=Basic Directory Trust Anchor SubCA3, O=Test Certificates, C=US
        SerialNumber: [ 01]

      Certificate Extensions: 5
      [1]: ObjectId: 2.5.29.14 Criticality=false
      SubjectKeyIdentifier [
      KeyIdentifier [
      0000: 8E E6 88 2D A1 8E D9 42 1B 79 97 2D BE 6D 70 59 ...-...B.y.-.mpY
      0010: 49 95 FF A7 I...
      ]
      ]

      [2]: ObjectId: 2.5.29.35 Criticality=false
      AuthorityKeyIdentifier [
      KeyIdentifier [
      0000: 28 C6 CC A1 F6 0C 27 6C F6 FF 88 42 FB 9A B1 5A (.....'l...B...Z
      0010: 3E 9F 00 D8 >...
      ]
      ]

      [3]: ObjectId: 2.5.29.17 Criticality=false
      SubjectAlternativeName [
        RFC822Name: ###@###.###
      ]

      [4]: ObjectId: 2.5.29.32 Criticality=false
      CertificatePolicies [
        [CertificatePolicyId: [2.16.840.1.101.3.2.1.48.1]
      [] ]
      ]

      [5]: ObjectId: 2.5.29.15 Criticality=true
      KeyUsage [
        DigitalSignature
        Non_repudiation
        Key_Encipherment
        Data_Encipherment
      ]

      ]
        Algorithm: [SHA1withRSA]
        Signature:
      0000: 83 EA EF F6 BF 17 36 F6 55 9B BF 6A 42 6E E2 E3 ......6.U..jBn..
      0010: 67 8B F7 FF CC 88 1B 2D 9C 29 03 42 E0 5D F0 2E g......-.).B.]..
      0020: 6A 6D 30 B6 F4 3F C2 C5 78 E1 97 93 55 49 34 F5 jm0..?..x...UI4.
      0030: F4 37 58 C5 86 9C 1C A9 35 68 57 D8 AF AA B9 F5 .7X.....5hW.....
      0040: BC E9 CC EE CC 76 F1 F2 70 1A 0F C5 95 42 3F D6 .....v..p....B?.
      0050: 98 B7 73 7E CE 6B 52 0E 58 BA D2 79 BB 9D E2 78 ..s..kR.X..y...x
      0060: 6B F9 A7 08 B3 E1 3A 82 10 08 A1 E1 5E 7A AA 0B k.....:.....^z..
      0070: FD 41 4A 9E AF 47 37 51 2F DB F5 6C 17 51 1A 1B .AJ..G7Q/..l.Q..

      ]
      ]
      certpath: CrlRevocationChecker.verifyRevocationStatus() crls.size() = 1
      certpath: CRLRevocationChecker.verifyPossibleCRLs: Checking CRLDPs for CN=Rudimentary Directory Path Discovery EE Certificate Test3, O=Test Certificates, C=US
      certpath: Exception while verifying CRL: all elements of set must be of type java.security.cert.TrustAnchor
      java.lang.ClassCastException: all elements of set must be of type java.security.cert.TrustAnchor
      at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:205)
      at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
      at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
      at sun.security.provider.certpath.DistributionPointFetcher.verifyCRL(DistributionPointFetcher.java:547)
      at sun.security.provider.certpath.CrlRevocationChecker.verifyPossibleCRLs(CrlRevocationChecker.java:747)
      at sun.security.provider.certpath.CrlRevocationChecker.verifyRevocationStatus(CrlRevocationChecker.java:311)
      at sun.security.provider.certpath.CrlRevocationChecker.verifyRevocationStatus(CrlRevocationChecker.java:239)
      at sun.security.provider.certpath.CrlRevocationChecker.check(CrlRevocationChecker.java:210)
      at sun.security.provider.certpath.ForwardBuilder.verifyCert(ForwardBuilder.java:783)
      at sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward(SunCertPathBuilder.java:409)
      at sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward(SunCertPathBuilder.java:620)
      at sun.security.provider.certpath.SunCertPathBuilder.buildForward(SunCertPathBuilder.java:346)
      at sun.security.provider.certpath.SunCertPathBuilder.buildCertPath(SunCertPathBuilder.java:211)
      at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:180)
      at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
      at CertPathBuilderTest.main(CertPathBuilderTest.java:39)
      certpath: CrlRevocationChecker.verifyRevocationStatus() approved crls.size() = 0
      certpath: CrlRevocationChecker.verifyWithSeparateSigningKey() ---checking revocation status...
      ...

        Activity

        Hide
        xuelei Xue-Lei Fan added a comment -
        BT2:EVALUATION

        I can still replay the bug for JDK b101. Need to address the CR in JDK 7.
        Show
        xuelei Xue-Lei Fan added a comment - BT2:EVALUATION I can still replay the bug for JDK b101. Need to address the CR in JDK 7.
        Hide
        xuelei Xue-Lei Fan added a comment -
        Show
        xuelei Xue-Lei Fan added a comment - BT2:SUGGESTED FIX http://hg.openjdk.java.net/jdk7/tl/jdk/rev/6e306c3aa17b

          People

          • Assignee:
            xuelei Xue-Lei Fan
            Reporter:
            tonyli Tony Li
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Imported:
              Indexed: