Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6899503

Security code issue using Verisign root certificate

    Details

    • Subcomponent:
    • Resolved In Build:
      b07
    • CPU:
      x86
    • OS:
      linux

      Backports

        Description

        This bug reproduces on Linux (with 6u17 and 5u22), with the attached testcase (TestHttps.java). In order to reproduce this
        problem, simply add attached vercert.cer to the cacerts for the JRE you are using as follows :

        keytool -import -file vercert.cer -keystore cacerts

        The default keystore password is changeit. Then simply run the attached testcase.

        Running the test case will result in :

        javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: basic constraints check failed: pathLenConstraint violated - this cert must be the last cert in the certification path
               at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
               at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1592)
               at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
               at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
               at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1044)
               at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:127)
               at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
               at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
               at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
               at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
               at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
               at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107)
               at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:415)
               at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
               at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1049)
               at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
               at TestHttps.main(TestHttps.java:18)
        Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: basic constraints check failed: pathLenConstraint violated - this cert must be the last cert in the certification path
               at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:251)
               at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:234)
               at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:158)
               at sun.security.validator.Validator.validate(Validator.java:218)
               at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
               at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
               at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
               at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1023)
               ... 12 more
        Caused by: java.security.cert.CertPathValidatorException: basic constraints check failed: pathLenConstraint violated - this cert must be the last cert in the certification path
               at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
               at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:328) at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
               at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
               at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:246)


        If we remove this cert from the Java keystore, then validation succeeds and everything works fine.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  asaha Abhijit Saha
                  Reporter:
                  mbykov Misha Bykov
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Imported:
                    Indexed: