Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8189760

sun/security/ssl/CertPathRestrictions/TLSRestrictions.java failed with unexpected Exception intermittently

    Details

      Backports

        Description

        #section:main
        ----------messages:(4/228)----------
        command: main -Djava.security.debug=certpath TLSRestrictions S8
        reason: User specified action: run main/othervm -Djava.security.debug=certpath TLSRestrictions S8
        Mode: othervm [/othervm specified]
        elapsed time (seconds): 1.705
        ----------configuration:(0/0)----------
        ----------System.out:(206/15994)----------
        Case:
          trustNames=ROOT_CA_SHA256; certNames=END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256,INTER_CA_SHA1-ROOT_CA_SHA256
          serverConstraint=SHA1 usage TLSClient; clientConstraint=MD2, MD5
          needClientAuth=true
          pass=false

        Server: Old jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
        Server: New jdk.certpath.disabledAlgorithms=SHA1 usage TLSClient
        Server: port=58472
        Server: started
        Command line: [/scratch/opt/mach5/mesos/work_dir/jib-master/install/jdk10-master.174/linux-x64.jdk/jdk-10/bin/java -cp /scratch/opt/mach5/mesos/work_dir/slaves/7aed79a7-ea87-4caa-8895-f1d7e69bb48e-S4076/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/7fce4e10-08a1-4962-a860-b1c050a3670f/runs/f14e8a1b-1516-4594-b825-1daeb746c70d/testoutput/jtreg/JTwork/classes/4/sun/security/ssl/CertPathRestrictions/TLSRestrictions.d:/scratch/opt/mach5/mesos/work_dir/jib-master/install/jdk10-master.174/src.full/open/test/jdk/sun/security/ssl/CertPathRestrictions:/scratch/opt/mach5/mesos/work_dir/slaves/7aed79a7-ea87-4caa-8895-f1d7e69bb48e-S4076/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/7fce4e10-08a1-4962-a860-b1c050a3670f/runs/f14e8a1b-1516-4594-b825-1daeb746c70d/testoutput/jtreg/JTwork/classes/4/test/lib:/scratch/opt/mach5/mesos/work_dir/jib-master/install/jdk10-master.174/src.full/open/test/lib:/scratch/opt/mach5/mesos/work_dir/jib-master/install/com/oracle/java/jib/jib/3.0-SNAPSHOT/jib-3.0-SNAPSHOT-distribution.zip/jib-3.0-SNAPSHOT-distribution/lib/jib-3.0-SNAPSHOT.jar:/scratch/opt/mach5/mesos/work_dir/jib-master/install/java/re/jtreg/4.2/promoted/all/b08/bundles/jtreg_bin-4.2.zip/jtreg/lib/javatest.jar:/scratch/opt/mach5/mesos/work_dir/jib-master/install/java/re/jtreg/4.2/promoted/all/b08/bundles/jtreg_bin-4.2.zip/jtreg/lib/jtreg.jar -ea -esa -Xmx512m -Dcert.dir=/scratch/opt/mach5/mesos/work_dir/jib-master/install/jdk10-master.174/src.full/open/test/jdk/sun/security/ssl/CertPathRestrictions/certs -Djava.security.debug=certpath -classpath /scratch/opt/mach5/mesos/work_dir/slaves/7aed79a7-ea87-4caa-8895-f1d7e69bb48e-S4076/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/7fce4e10-08a1-4962-a860-b1c050a3670f/runs/f14e8a1b-1516-4594-b825-1daeb746c70d/testoutput/jtreg/JTwork/classes/4/sun/security/ssl/CertPathRestrictions/TLSRestrictions.d JSSEClient 58472 ROOT_CA_SHA256 END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256,INTER_CA_SHA1-ROOT_CA_SHA256 MD2, MD5 ]
        javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSClient check failed: SHA1 used with certificate: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US. Usage was tls client
        at java.base/sun.security.ssl.Alerts.getSSLException(Alerts.java:198)
        at java.base/sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974)
        at java.base/sun.security.ssl.Handshaker.fatalSE(Handshaker.java:319)
        at java.base/sun.security.ssl.Handshaker.fatalSE(Handshaker.java:313)
        at java.base/sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:2120)
        at java.base/sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:249)
        at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1072)
        at java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1000)
        at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137)
        at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074)
        at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
        at java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402)
        at java.base/sun.security.ssl.SSLSocketImpl.bytesInCompletePacket(SSLSocketImpl.java:907)
        at java.base/sun.security.ssl.AppInputStream.read(AppInputStream.java:144)
        at java.base/sun.security.ssl.AppInputStream.read(AppInputStream.java:84)
        at JSSEServer$1.run(JSSEServer.java:63)
        at java.base/java.lang.Thread.run(Thread.java:844)
        Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSClient check failed: SHA1 used with certificate: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US. Usage was tls client
        at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259)
        at java.base/sun.security.validator.Validator.validate(Validator.java:264)
        at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:343)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:226)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:127)
        at java.base/sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:2102)
        ... 12 more
        Caused by: java.security.cert.CertPathValidatorException: Usage constraint TLSClient check failed: SHA1 used with certificate: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US. Usage was tls client
        at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
        at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:223)
        at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
        at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
        at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
        at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345)
        ... 18 more
        Caused by: java.security.cert.CertPathValidatorException: Usage constraint TLSClient check failed: SHA1 used with certificate: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US. Usage was tls client
        at java.base/sun.security.util.DisabledAlgorithmConstraints$UsageConstraint.permits(DisabledAlgorithmConstraints.java:739)
        at java.base/sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(DisabledAlgorithmConstraints.java:419)
        at java.base/sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:167)
        at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:326)
        at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
        ... 23 more
        ---------- Client output start ----------
        Client: arguments=58472; ROOT_CA_SHA256; END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256,INTER_CA_SHA1-ROOT_CA_SHA256; MD2, MD5
        Client: Old jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
        Client: New jdk.certpath.disabledAlgorithms=MD2, MD5
        Client: connected
        certpath: Constraints: SSLv3
        certpath: Constraints: RC4
        certpath: Constraints: MD5withRSA
        certpath: Constraints: DH keySize < 1024
        certpath: Constraints set to keySize: keySize < 1024
        certpath: Constraints: EC keySize < 224
        certpath: Constraints set to keySize: keySize < 224
        certpath: Constraints: MD2
        certpath: Constraints: MD5
        certpath: Constraints: MD2
        certpath: Constraints: MD5
        certpath: TrustAnchor is null, trustedMatch is false.
        certpath: PKIXCertPathValidator.engineValidate()...
        certpath: X509CertSelector.match(SN: a3529d826fddc61d
          Issuer: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US
          Subject: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US)
        certpath: X509CertSelector.match returning: true
        certpath: YES - try this trustedCert
        certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US
        certpath: --------------------------------------------------------------
        certpath: Executing PKIX certification path validation algorithm.
        certpath: Checking cert1 - Subject: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US
        certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
        certpath: -checker1 validation succeeded
        certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
        certpath: Constraints.permits(): SHA1withRSA Variant: tls server
        certpath: -checker2 validation succeeded
        certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
        certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage...
        certpath: -checker3 validation succeeded
        certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker]
        certpath: ---checking basic constraints...
        certpath: i = 1, maxPathLength = 2
        certpath: after processing, maxPathLength = 1
        certpath: basic constraints verified.
        certpath: ---checking name constraints...
        certpath: prevNC = null, newNC = null
        certpath: mergedNC = null
        certpath: name constraints verified.
        certpath: -checker4 validation succeeded
        certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
        certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
        certpath: PolicyChecker.checkPolicy() certIndex = 1
        certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3
        certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3
        certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 3
        certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOT

        certpath: PolicyChecker.processPolicies() no policies present in cert
        certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
        certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
        certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
        certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
        certpath: PolicyChecker.checkPolicy() certificate policies verified
        certpath: -checker5 validation succeeded
        certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
        certpath: ---checking validity:Fri Oct 20 07:56:53 PDT 2017...
        certpath: validity verified.
        certpath: ---checking subject/issuer name chaining...
        certpath: subject/issuer name chaining verified.
        certpath: ---checking signature...
        certpath: signature verified.
        certpath: BasicChecker.updateState issuer: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US; subject: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US; serial#: 9557043154290660301
        certpath: -checker6 validation succeeded
        certpath: -Using checker7 ... [sun.security.provider.certpath.AlgorithmChecker]
        certpath: Constraints.permits(): SHA1withRSA Variant: tls server
        certpath: -checker7 validation succeeded
        certpath:
        cert1 validation succeeded.

        certpath: Checking cert2 - Subject: CN=END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256-PRIV, OU=Java, O=Org, L=City, ST=CA, C=US
        certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
        certpath: -checker1 validation succeeded
        certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
        certpath: Constraints.permits(): SHA256withRSA Variant: tls server
        certpath: -checker2 validation succeeded
        certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
        certpath: -checker3 validation succeeded
        certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker]
        certpath: ---checking basic constraints...
        certpath: i = 2, maxPathLength = 1
        certpath: after processing, maxPathLength = 1
        certpath: basic constraints verified.
        certpath: ---checking name constraints...
        certpath: prevNC = null, newNC = null
        certpath: mergedNC = null
        certpath: name constraints verified.
        certpath: -checker4 validation succeeded
        certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
        certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
        certpath: PolicyChecker.checkPolicy() certIndex = 2
        certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
        certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
        certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2
        certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = null
        certpath: PolicyChecker.processPolicies() no policies present in cert
        certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
        certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
        certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
        certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
        certpath: PolicyChecker.checkPolicy() certificate policies verified
        certpath: -checker5 validation succeeded
        certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
        certpath: ---checking validity:Fri Oct 20 07:56:53 PDT 2017...
        certpath: validity verified.
        certpath: ---checking subject/issuer name chaining...
        certpath: subject/issuer name chaining verified.
        certpath: ---checking signature...
        certpath: signature verified.
        certpath: BasicChecker.updateState issuer: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US; subject: CN=END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256-PRIV, OU=Java, O=Org, L=City, ST=CA, C=US; serial#: 11454861092401349589
        certpath: -checker6 validation succeeded
        certpath: -Using checker7 ... [sun.security.provider.certpath.AlgorithmChecker]
        certpath: Constraints.permits(): SHA256withRSA Variant: tls server
        certpath: -checker7 validation succeeded
        certpath:
        cert2 validation succeeded.

        certpath: Cert path validation succeeded. (PKIX validation algorithm)
        certpath: --------------------------------------------------------------
        certpath: KeySizeConstraints.permits(): EC
        certpath: TrustAnchor is null, trustedMatch is false.
        certpath: Constraints.permits(): SHA1withRSA Variant: tls client
        certpath: Constraints.permits(): SHA256withRSA Variant: tls client
        Exception in thread "main" java.lang.RuntimeException: Client: failed.
        at JSSEClient.main(JSSEClient.java:63)
        Caused by: java.net.SocketException: Broken pipe (Write failed)
        at java.base/java.net.SocketOutputStream.socketWrite0(Native Method)
        at java.base/java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:111)
        at java.base/java.net.SocketOutputStream.write(SocketOutputStream.java:155)
        at java.base/sun.security.ssl.SSLSocketOutputRecord.encodeChangeCipherSpec(SSLSocketOutputRecord.java:205)
        at java.base/sun.security.ssl.OutputRecord.changeWriteCiphers(OutputRecord.java:163)
        at java.base/sun.security.ssl.SSLSocketImpl.changeWriteCiphers(SSLSocketImpl.java:2114)
        at java.base/sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1175)
        at java.base/sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1356)
        at java.base/sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1260)
        at java.base/sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:418)
        at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1072)
        at java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1000)
        at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137)
        at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074)
        at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
        at java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402)
        at java.base/sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:733)
        at java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:67)
        at java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:81)
        at JSSEClient.main(JSSEClient.java:58)

        ---------- Client output end ----------
        ----------System.err:(57/3203)----------
        certpath: Constraints: SSLv3
        certpath: Constraints: RC4
        certpath: Constraints: MD5withRSA
        certpath: Constraints: DH keySize < 1024
        certpath: Constraints set to keySize: keySize < 1024
        certpath: Constraints: EC keySize < 224
        certpath: Constraints set to keySize: keySize < 224
        certpath: Constraints: MD2
        certpath: Constraints: MD5
        certpath: Constraints: SHA1 jdkCA & usage TLSServer
        certpath: Constraints set to jdkCA.
        certpath: Constraints usage length is 1
        certpath: Constraints: RSA keySize < 1024
        certpath: Constraints set to keySize: keySize < 1024
        certpath: Constraints: DSA keySize < 1024
        certpath: Constraints set to keySize: keySize < 1024
        certpath: Constraints: EC keySize < 224
        certpath: Constraints set to keySize: keySize < 224
        certpath: Constraints: SHA1 usage TLSClient
        certpath: Constraints usage length is 1
        certpath: TrustAnchor is null, trustedMatch is false.
        certpath: Constraints.permits(): SHA1withRSA Variant: tls server
        certpath: Checking if usage constraint "tls client" matches "tls server"
        certpath: KeySizeConstraints.permits(): RSA
        certpath: Constraints.permits(): SHA256withRSA Variant: tls server
        certpath: KeySizeConstraints.permits(): RSA
        certpath: KeySizeConstraints.permits(): RSA
        certpath: TrustAnchor is null, trustedMatch is false.
        certpath: PKIXCertPathValidator.engineValidate()...
        certpath: X509CertSelector.match(SN: a3529d826fddc61d
          Issuer: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US
          Subject: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US)
        certpath: X509CertSelector.match returning: true
        certpath: YES - try this trustedCert
        certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US
        certpath: --------------------------------------------------------------
        certpath: Executing PKIX certification path validation algorithm.
        certpath: Checking cert1 - Subject: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US
        certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
        certpath: -checker1 validation succeeded
        certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
        certpath: Constraints.permits(): SHA1withRSA Variant: tls client
        certpath: Checking if usage constraint "tls client" matches "tls client"
        java.lang.RuntimeException: Failure with unexpected exception.
        at TLSRestrictions.testConstraint(TLSRestrictions.java:270)
        at TLSRestrictions.main(TLSRestrictions.java:483)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:564)
        at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:115)
        at java.base/java.lang.Thread.run(Thread.java:844)

        JavaTest Message: Test threw exception: java.lang.RuntimeException: Failure with unexpected exception.
        JavaTest Message: shutting down test

        STATUS:Failed.`main' threw exception: java.lang.RuntimeException: Failure with unexpected exception.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  jjiang John Jiang
                  Reporter:
                  jjiang John Jiang
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: