Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8161973

PKIXRevocationChecker.getSoftFailExceptions() not working

    XMLWordPrintable

    Details

    • Subcomponent:
    • Resolved In Build:
      b04
    • CPU:
      generic
    • OS:
      generic
    • Verification:
      Verified

      Backports

        Description

        FULL PRODUCT VERSION :
        java version "1.8.0_91"
        Java(TM) SE Runtime Environment (build 1.8.0_91-b14)
        Java HotSpot(TM) 64-Bit Server VM (build 25.91-b14, mixed mode)


        ADDITIONAL OS VERSION INFORMATION :
        Linux bryan-Lenovo-YOGA-3-Pro-1370 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

        EXTRA RELEVANT SYSTEM CONFIGURATION :
        CertPath validation of belgian eID certificates

        A DESCRIPTION OF THE PROBLEM :
        When doing Cert Path Validator with a PKIX Revocation Checker. the list of soft fail is always empty, even when a soft fails occurred.

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        * Create a PKIX Revocation Checker
        * Set the PKIX Revocation Checker to be soft fail
        * Ensure that the OCSP responder and CRL can't be reached (e.g. disactivate network)
        * Do a Cert Path Validation with the PKIX Revocation checker on a cert chain that has OCSP and/or CRL specified.

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        The soft fail exception list should have an exception indicating that "http://wrongocsp.eid.belgium.be" isn't reachable
        ACTUAL -
        The soft fail exeption list is empty

        ERROR MESSAGES/STACK TRACES THAT OCCUR :
        certpath: Checking cert3 - Subject: SERIALNUMBER=79021802145, GIVENNAME=Bryan Eduard, SURNAME=Brouckaert, CN=Bryan Brouckaert (Signature), C=BE
        certpath: Set of critical extensions: {2.5.29.15}
        certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
        certpath: -checker1 validation succeeded
        certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
        certpath: -checker2 validation succeeded
        certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
        certpath: -checker3 validation succeeded
        certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker]
        certpath: ---checking basic constraints...
        certpath: i = 3, maxPathLength = 0
        certpath: after processing, maxPathLength = 0
        certpath: basic constraints verified.
        certpath: ---checking name constraints...
        certpath: prevNC = null, newNC = null
        certpath: mergedNC = null
        certpath: name constraints verified.
        certpath: -checker4 validation succeeded
        certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
        certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
        certpath: PolicyChecker.checkPolicy() certIndex = 3
        certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3
        certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3
        certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 3
        certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = null
        certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 3
        certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 3
        certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 3
        certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
        certpath: PolicyChecker.checkPolicy() certificate policies verified
        certpath: -checker5 validation succeeded
        certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
        certpath: ---checking timestamp:Wed Jul 20 10:57:07 CEST 2016...
        certpath: timestamp verified.
        certpath: ---checking subject/issuer name chaining...
        certpath: subject/issuer name chaining verified.
        certpath: ---checking signature...
        certpath: signature verified.
        certpath: BasicChecker.updateState issuer: SERIALNUMBER=201204, CN=Citizen CA, C=BE; subject: SERIALNUMBER=79021802145, GIVENNAME=Bryan Eduard, SURNAME=Brouckaert, CN=Bryan Brouckaert (Signature), C=BE; serial#: 21267647932559007052436570664840961409
        certpath: -checker6 validation succeeded
        certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker]
        certpath: RevocationChecker.check: checking cert
          SN: 10000000 00004ac4 d43f8300 eae39d81
          Subject: SERIALNUMBER=79021802145, GIVENNAME=Bryan Eduard, SURNAME=Brouckaert, CN=Bryan Brouckaert (Signature), C=BE
          Issuer: SERIALNUMBER=201204, CN=Citizen CA, C=BE
        certpath: connecting to OCSP service at: http://dummy.eid.belgium.be
        certpath: RevocationChecker.check() Unable to determine revocation status due to network error
        certpath: RevocationChecker.check() preparing to failover
        certpath: RevocationChecker.checkCRLs() ---checking revocation status ...
        certpath: RevocationChecker.checkCRLs() possible crls.size() = 0
        certpath: RevocationChecker.checkCRLs() approved crls.size() = 0
        certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for SERIALNUMBER=79021802145, GIVENNAME=Bryan Eduard, SURNAME=Brouckaert, CN=Bryan Brouckaert (Signature), C=BE
        certpath: Trying to fetch CRL from DP http://crl.eid.belgium.be/eidc201204.crl
        certpath: CertStore URI:http://crl.eid.belgium.be/eidc201204.crl
        certpath: Exception fetching CRL:
        java.net.SocketTimeoutException: connect timed out
        at java.net.PlainSocketImpl.socketConnect(Native Method)
        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
        at java.net.Socket.connect(Socket.java:589)
        at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
        at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
        at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
        at sun.net.www.http.HttpClient.<init>(HttpClient.java:211)
        at sun.net.www.http.HttpClient.New(HttpClient.java:308)
        at sun.net.www.http.HttpClient.New(HttpClient.java:326)
        at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1169)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
        at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:933)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1513)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
        at sun.security.provider.certpath.URICertStore.engineGetCRLs(URICertStore.java:396)
        at java.security.cert.CertStore.getCRLs(CertStore.java:181)
        at sun.security.provider.certpath.DistributionPointFetcher.getCRL(DistributionPointFetcher.java:246)
        at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:190)
        at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:122)
        at sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:552)
        at sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:465)
        at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:394)
        at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:337)
        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219)
        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
        at net.atos.saviscio.sign.xmldsig.XmlDSigSignature.verify(XmlDSigSignature.java:179)
        at net.atos.saviscio.sign.xmldsig.XmlDSigSignature$MockitoMock$620320071.verify$accessor$zS6Pj66N(Unknown Source)
        at net.atos.saviscio.sign.xmldsig.XmlDSigSignature$MockitoMock$620320071$auxiliary$8pfr83ZJ.call(Unknown Source)
        at org.mockito.internal.creation.bytebuddy.InterceptedInvocation$SuperMethod$FromCallable.invoke(InterceptedInvocation.java:191)
        at org.mockito.internal.creation.bytebuddy.InterceptedInvocation.callRealMethod(InterceptedInvocation.java:128)
        at org.mockito.internal.stubbing.answers.CallsRealMethods.answer(CallsRealMethods.java:40)
        at org.mockito.Answers.answer(Answers.java:91)
        at org.mockito.internal.handler.MockHandlerImpl.handle(MockHandlerImpl.java:98)
        at org.mockito.internal.handler.NullResultGuardian.handle(NullResultGuardian.java:32)
        at org.mockito.internal.handler.InvocationNotifierHandler.handle(InvocationNotifierHandler.java:38)
        at org.mockito.internal.creation.bytebuddy.MockMethodInterceptor.doIntercept(MockMethodInterceptor.java:36)
        at org.mockito.internal.creation.bytebuddy.MockMethodInterceptor.access$000(MockMethodInterceptor.java:17)
        at org.mockito.internal.creation.bytebuddy.MockMethodInterceptor$DispatcherDefaultingToRealMethod.interceptSuperCallable(MockMethodInterceptor.java:96)
        at net.atos.saviscio.sign.xmldsig.XmlDSigSignature$MockitoMock$620320071.verify(Unknown Source)
        at net.atos.saviscio.sign.XAdESSignatureService.process(XAdESSignatureService.java:35)
        at net.atos.saviscio.sign.XAdESSignatureServiceTest.processGenericXadesBES(XAdESSignatureServiceTest.java:54)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
        at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
        at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
        at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
        at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
        at org.junit.rules.TestWatcher$1.evaluate(TestWatcher.java:55)
        at org.junit.rules.RunRules.evaluate(RunRules.java:20)
        at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
        at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)
        at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
        at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
        at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
        at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
        at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
        at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
        at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
        at org.mockito.internal.runners.JUnit45AndHigherRunnerImpl.run(JUnit45AndHigherRunnerImpl.java:37)
        at org.mockito.runners.MockitoJUnitRunner.run(MockitoJUnitRunner.java:62)
        at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:367)
        at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:274)
        at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:238)
        at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:161)
        at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:290)
        at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:242)
        at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:121)
        certpath: RevocationChecker.check() failover failed
        certpath: RevocationChecker.check() Unable to determine revocation status due to network error
        certpath: -checker7 validation succeeded
        certpath:
        cert3 validation succeeded.

        REPRODUCIBILITY :
        This bug can be reproduced always.

        ---------- BEGIN SOURCE ----------
            private static String selfSigned
                    = "-----BEGIN CERTIFICATE-----\n"
                    + "MIIDsTCCApmgAwIBAgIJAOMWI7Hlb+cHMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNV\n"
                    + "BAYTAkJFMQwwCgYDVQQIDANPVkwxFDASBgNVBAcMC0RlbmRlcmxlZXV3MRQwEgYD\n"
                    + "VQQKDAtFZ2Vsa2UgQlZCQTELMAkGA1UECwwCSVQxGTAXBgNVBAMMEEJyeWFuIEJy\n"
                    + "b3Vja2FlcnQwHhcNMTYwNzIwMTI1MzUzWhcNMjYwNzE4MTI1MzUzWjBvMQswCQYD\n"
                    + "VQQGEwJCRTEMMAoGA1UECAwDT1ZMMRQwEgYDVQQHDAtEZW5kZXJsZWV1dzEUMBIG\n"
                    + "A1UECgwLRWdlbGtlIEJWQkExCzAJBgNVBAsMAklUMRkwFwYDVQQDDBBCcnlhbiBC\n"
                    + "cm91Y2thZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnr1n5Zd/\n"
                    + "O8Z0hyMwi6xQ90HiPf6LM+KS3sUWnBxSKuXz+SjLCe/6sVGHck9/QahipixjPI8i\n"
                    + "JhGFwSbsqbWEE7NR0+sRpL6Ye7a+gpgdPBxtzMh5lnBe1zpi4lbDPBlr8X1nCMNc\n"
                    + "QbPYClBgeeRUEnFkS+BSXsUbI25BoJ7qHKAF1vkOBs9wYjTlXVquA7i3i5ixaI51\n"
                    + "NPj0Lr7gzk1T0CqbYlME0QNmKs6EQgwudaIPXayBvfGqX5SBEvqg9nHOIX4/VZWI\n"
                    + "0PuY0zgJGzpQS/MdP/Y50x1wwEaZ84Yna84DM9AuQDFMMCLbNPjoJjj9KwZubBF3\n"
                    + "3xVn7EulXF9lEQIDAQABo1AwTjAdBgNVHQ4EFgQUHruWPgfVtB5UYB8/6/KjW0/x\n"
                    + "mEUwHwYDVR0jBBgwFoAUHruWPgfVtB5UYB8/6/KjW0/xmEUwDAYDVR0TBAUwAwEB\n"
                    + "/zANBgkqhkiG9w0BAQsFAAOCAQEALlLafpjGU+uzpbxD7qLF42uK6gV7qPdXZ1Pi\n"
                    + "hrBdxzqvy+19sIPb61Typs5/YQb0sC+OWhmMiIU4TVHYb94TEzE63XyhvYF11RvN\n"
                    + "1jLN0Xe710IMR0VCryuStFgZhvZHMLqabLBI0bRwEY+A2KMUFohLb6agRUnMARjo\n"
                    + "GpuPEFAq1weZBJvAWG5KzA7ew+nL0x6Q4CUIE7X+E+VtkTfN06TJ7aqKieYdYL3f\n"
                    + "uie8bgw7bglpTqAbDjVEWaKahpvvh4xYpkOqbPTWq9Lxwf47ojiG0XbA6MSFn4x3\n"
                    + "hXQcPeOVRkVUwoEekYluRJtnLKPl34xrKQFC8pR2R/brsnxoVQ==\n"
                    + "-----END CERTIFICATE-----";

            public static void main(String[] args) throws Exception {
                CertificateFactory cf = CertificateFactory.getInstance("X.509");
                X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(selfSigned.getBytes("UTF-8")));
                CertPath certPath = cf.generateCertPath(Collections.singletonList(cert));
                TrustAnchor root = new TrustAnchor(cert, null);

                CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
                PKIXRevocationChecker rc = (PKIXRevocationChecker) certPathValidator.getRevocationChecker();
                rc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.SOFT_FAIL));
                //URL does not exist ;-)
                rc.setOcspResponder(new URI("http://wrongocsp.eid.belgium.be"));
                PKIXParameters params = new PKIXParameters(Collections.singleton(root));
                params.setRevocationEnabled(true);
                params.addCertPathChecker(rc);
                certPathValidator.validate(certPath, params);
                if (!rc.getSoftFailExceptions().isEmpty()) {
                    System.err.println("OCSP is down");
                } else {
                    System.out.println("Cert is OK");
                }
            }
        ---------- END SOURCE ----------

        CUSTOMER SUBMITTED WORKAROUND :
        Don't use SOFT_FAIL

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                mullan Sean Mullan
                Reporter:
                webbuggrp Webbug Group
                Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: