Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6899503

Security code issue using Verisign root certificate

    XMLWordPrintable

Details

    • b07
    • x86
    • linux

    Backports

      Description

        This bug reproduces on Linux (with 6u17 and 5u22), with the attached testcase (TestHttps.java). In order to reproduce this
        problem, simply add attached vercert.cer to the cacerts for the JRE you are using as follows :

        keytool -import -file vercert.cer -keystore cacerts

        The default keystore password is changeit. Then simply run the attached testcase.

        Running the test case will result in :

        javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: basic constraints check failed: pathLenConstraint violated - this cert must be the last cert in the certification path
               at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
               at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1592)
               at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
               at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
               at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1044)
               at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:127)
               at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
               at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
               at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
               at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1096)
               at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
               at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1107)
               at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:415)
               at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
               at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1049)
               at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
               at TestHttps.main(TestHttps.java:18)
        Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: basic constraints check failed: pathLenConstraint violated - this cert must be the last cert in the certification path
               at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:251)
               at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:234)
               at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:158)
               at sun.security.validator.Validator.validate(Validator.java:218)
               at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
               at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
               at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
               at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1023)
               ... 12 more
        Caused by: java.security.cert.CertPathValidatorException: basic constraints check failed: pathLenConstraint violated - this cert must be the last cert in the certification path
               at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
               at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:328) at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
               at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
               at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:246)


        If we remove this cert from the Java keystore, then validation succeeds and everything works fine.

        Attachments

          Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-2185344 Security code issue using Verisign root certificate

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-2184913 Security code issue using Verisign root certificate

            • P2 - Crashes, loss of data, severe memory leak.
            • Closed

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-2185711 Security code issue using Verisign root certificate

            • P2 - Crashes, loss of data, severe memory leak.
            • Closed

            Activity

              People

                asaha Abhijit Saha
                mbykov Misha Bykov (Inactive)
                Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:
                  Imported:
                  Indexed: