Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8149722

JSSE TrustManagerFactory ignores deployment.system.security.cacerts

    Details

      Description

      FULL PRODUCT VERSION :
      java version "1.8.0_51"
      Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
      Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      Microsoft Windows [Version 6.1.7601] (Windows 7)

      EXTRA RELEVANT SYSTEM CONFIGURATION :
      Standard java installation
      Custom deployment.properties with
        deployment.system.security.cacerts=C:\tmp\cacerts

      java_home/lib/security/cacerts file deleted


      A DESCRIPTION OF THE PROBLEM :
      When java is deployed with a custom deployment.properties file setting a new location for the cacerts file; this configuration is ignored by the default JSSE implementation.

      Checking in the Java Control Panel, the Secure Site CA list is correctly populated.

      Trying to establish a secure connection HTTPS connection fails with the error message: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

      Copy back the cacerts in java_home/lib/security
      Executing the test again, the connection is working fine.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Remove the cacerts file present in java_home/lib/security

      Modifiy the deployment.properties file to set the deployment.system.security.cacerts property on the new location of the cacerts file.

      Verify with the Java control panel that the property points correctly the new cacerts file

      Execute the test application

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      The default SSL connection should find the cacerts file at its new location, as the Java Control Panel does and the connection should be established without problems.
      ACTUAL -
      The connection could not be established

      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      trustStore is: No File Available, using empty keystore.
      trustStore type is : jks
      trustStore provider is :
      init truststore
      trigger seeding of SecureRandom
      done seeding SecureRandom
      keyStore is :
      keyStore type is : jks
      keyStore provider is :
      init keystore
      init keymanager of type SunX509
      ....
      main, handling exception: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
      %% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
      main, SEND TLSv1.2 ALERT: fatal, description = internal_error
      main, WRITE: TLSv1.2 Alert, length = 2
      [Raw write]: length = 7
      0000: 15 03 03 00 02 02 50 ......P
      main, called closeSocket()
      at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
      at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
      at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1906)
      at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1889)
      at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1410)
      at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
      at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
      at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
      at SslGet.main(SslGet.java:30)
      Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
      at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:90)
      at sun.security.validator.Validator.getInstance(Validator.java:179)
      at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:312)
      at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:171)
      at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:184)
      at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
      at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1479)
      at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
      at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
      at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
      at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
      at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
      at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
      ... 7 more
      Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
      at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
      at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
      at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
      at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:88)
      ... 19 more


      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------

      import java.io.BufferedReader;
      import java.io.InputStream;
      import java.io.InputStreamReader;
      import java.net.InetSocketAddress;
      import java.net.Proxy;
      import java.net.URL;
      import java.net.URLConnection;
      import javax.net.ssl.HttpsURLConnection;
      import javax.net.ssl.SSLContext;
      import javax.net.ssl.SSLSocketFactory;


      public class SslGet {

          public static void main(String[] args) {
              try {
                  System.setProperty("javax.net.debug", "all");
                  SSLContext context = SSLContext.getInstance("TLS");
                  context.init(null, null, null);

                  SSLSocketFactory sslSocketFactory = context.getSocketFactory();

                  Proxy theProx = new Proxy(Proxy.Type.HTTP, new InetSocketAddress("my-proxy", 8080));

                  URL google = new URL("https://www.google.com");
                  URLConnection conn = google.openConnection(theProx);
                  ((HttpsURLConnection) conn).setSSLSocketFactory(sslSocketFactory);

                  InputStream ins = conn.getInputStream();
                  InputStreamReader isr = new InputStreamReader(ins);
                  BufferedReader in = new BufferedReader(isr);

                  String inputLine;
                  while ((inputLine = in.readLine()) != null)
                  {
                      System.out.println(inputLine);
                  }

                  in.close();
              } catch (Exception e) {
                  e.printStackTrace();
              }
          }

      }

      ---------- END SOURCE ----------

        Attachments

          Activity

            People

            • Assignee:
              psonal Pallavi Sonal (Inactive)
              Reporter:
              webbuggrp Webbug Group
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: