Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-7166570

JSSE certificate validation has started to fail for certificate chains

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P3 P3
    • 8
    • 6u18, 6u31
    • security-libs
    • b40
    • x86
    • windows_xp, windows_2008
    • Verified

        FULL PRODUCT VERSION :


        A DESCRIPTION OF THE PROBLEM :
        Recently the JSSE certificate validation has started to fail for certificate chains advertised by well known sites, namely https://mail.yahoo.com and https://foursquare.com.
        Here is the exception stack trace:
        sun.security.validator.ValidatorException: Violated path length constraints
        at sun.security.validator.SimpleValidator.checkBasicConstraints(SimpleValidator.java:262)
        at sun.security.validator.SimpleValidator.checkExtensions(SimpleValidator.java:169)
        at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:154)
        at sun.security.validator.Validator.validate(Validator.java:218)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)

        I've inspected the certificate chains, and in all cases, the basic constraint has a valid value.
        Is there a known bug in JSSE that does not handle basic constraint properly?

        I've reviewed the online version of source code for [SimpleValidator|http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Modules-sun/security/sun/security/validator/SimpleValidator.java.htm] however that version seems to be not consistent with latest JRE 6 update (30).

        The validation error can be consistently reproduced with the following code snippet:

        <code>
        X509Certificate[] chain = ... ; // server certificate chain
        String authType = ...; // the authentication type used by certificate chain
        // The attached example uses "RSA"

        TrustManagerFactory tmf = TrustManagerFactory.getInstance( "SunX509", "SunJSSE" );
        tmf.init( (KeyStore) null );
        TrustManager[] tms = tmf.getTrustManagers();
        for( TrustManager tm : tms ) {
        if( tm instanceof X509TrustManager ) {
        ( (X509TrustManager) tm ).checkServerTrusted( chain, authType );
        }
        </code>


        For convenience, I'm including the PEM certificate chain that failed verification and the code to load that chain into JSSE:

        =============================================

        <code>
        String certFilePath = ... ; // a path to a PEM encoded certificate chain

        InputStream fis = new FileInputStream( new File( certFilePath ) );
        CertificateFactory cf = CertificateFactory.getInstance( "X.509" );
        Collection< ? extends Certificate > certChain = cf.generateCertificates( fis );

        X509Certificate[] chain = new X509Certificate[ certChain.size() ];
        int i = 0;
        for( Certificate cert : certChain ) {
        chain[ i++ ] = (X509Certificate) cert;
        }
        </code>

        ============================
        Certificate chain from https://mail.yahoo.com
        ============================

        <file>
        -----BEGIN CERTIFICATE-----
        MIIGOzCCBSOgAwIBAgIQD1hJQVLDNUtt6+cgnnJuZzANBgkqhkiG9w0BAQUFADBm
        MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
        d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
        ZSBDQS0zMB4XDTEwMTIyMTAwMDAwMFoXDTEzMDEwMzIzNTk1OVowXjELMAkGA1UE
        BhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxFDASBgNVBAoU
        C1lhaG9vISBJbmMuMRgwFgYDVQQDEw9sb2dpbi55YWhvby5jb20wgZ8wDQYJKoZI
        hvcNAQEBBQADgY0AMIGJAoGBALTxKoODwdPNbM4FrhBYCsIJVm/EtiqQxgHZFBcR
        FR8jAKUTXG2rMlkgiAoDp5duez+omwAoULLt9UlRVe6NqBuDxjDcniUeMYyudwzi
        ua5EzZGKFryr8kyfhrKz15V4HwDBI1weDHmLDSwuU2jKpUTR1b2jid3o/B95Fd1Z
        aUTZAgMBAAGjggNvMIIDazAfBgNVHSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD
        9zAdBgNVHQ4EFgQUZwtdzLsVHOGRRhaepLJCXmrYCWMwPgYDVR0RBDcwNYIPbG9n
        aW4ueWFob28uY29tgg5tYWlsLnlhaG9vLmNvbYISb3ZpLm1haWwueWFob28uY29t
        MHsGCCsGAQUFBwEBBG8wbTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNl
        cnQuY29tMEUGCCsGAQUFBzAChjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20v
        RGlnaUNlcnRIaWdoQXNzdXJhbmNlQ0EtMy5jcnQwDgYDVR0PAQH/BAQDAgWgMAwG
        A1UdEwEB/wQCMAAwZQYDVR0fBF4wXDAsoCqgKIYmaHR0cDovL2NybDMuZGlnaWNl
        cnQuY29tL2NhMy0yMDEwaS5jcmwwLKAqoCiGJmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0
        LmNvbS9jYTMtMjAxMGkuY3JsMIIBxgYDVR0gBIIBvTCCAbkwggG1BgtghkgBhv1s
        AQMAATCCAaQwOgYIKwYBBQUHAgEWLmh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL3Nz
        bC1jcHMtcmVwb3NpdG9yeS5odG0wggFkBggrBgEFBQcCAjCCAVYeggFSAEEAbgB5
        ACAAdQBzAGUAIABvAGYAIAB0AGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABl
        ACAAYwBvAG4AcwB0AGkAdAB1AHQAZQBzACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAg
        AG8AZgAgAHQAaABlACAARABpAGcAaQBDAGUAcgB0ACAAQwBQAC8AQwBQAFMAIABh
        AG4AZAAgAHQAaABlACAAUgBlAGwAeQBpAG4AZwAgAFAAYQByAHQAeQAgAEEAZwBy
        AGUAZQBtAGUAbgB0ACAAdwBoAGkAYwBoACAAbABpAG0AaQB0ACAAbABpAGEAYgBp
        AGwAaQB0AHkAIABhAG4AZAAgAGEAcgBlACAAaQBuAGMAbwByAHAAbwByAGEAdABl
        AGQAIABoAGUAcgBlAGkAbgAgAGIAeQAgAHIAZQBmAGUAcgBlAG4AYwBlAC4wHQYD
        VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQBa
        Ykl7g9l5hQQzV7XtIdpuNZrTLlJ5y1JUg/GmEbZ7b1kHhBErnibJ3VxgUxA1WUoC
        SowYMxCv6E3no+AVe/dJsT3uORihPYyBYM1ST1cto3W/LN2oFCmVQ+PPO7Xje9NE
        ZzcHOGHKIBDpA+mggT/Rypntbp9gZX3vuZ51ewxWmfm6w+s17G8kC8gVEyaxtTtV
        EEJJquWwLQm5IonuGzMfT93ajAY04aNrJSUg4tzwlsBM6opebNP51jvr2xwecV22
        YFFWlT2IK/Hgt5sShRLF87RfM/gfjSCi8g3a0p3CbXeBigaypv/MEGUkcWkfGxwn
        fPjh72mmPGC70nR7ikji
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        MIIGVTCCBT2gAwIBAgIQCFH5WYFBRcq94CTiEsnCDjANBgkqhkiG9w0BAQUFADBs
        MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
        d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
        ZSBFViBSb290IENBMB4XDTA3MDQwMzAwMDAwMFoXDTIyMDQwMzAwMDAwMFowZjEL
        MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
        LmRpZ2ljZXJ0LmNvbTElMCMGA1UEAxMcRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
        Q0EtMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9hCikQH17+NDdR
        CPge+yLtYb4LDXBMUGMmdRW5QYiXtvCgFbsIYOBC6AUpEIc2iihlqO8xB3RtNpcv
        KEZmBMcqeSZ6mdWOw21PoF6tvD2Rwll7XjZswFPPAAgyPhBkWBATaccM7pxCUQD5
        BUTuJM56H+2MEb0SqPMV9Bx6MWkBG6fmXcCabH4JnudSREoQOiPkm7YDr6ictFuf
        1EutkozOtREqqjcYjbTCuNhcBoz4/yO9NV7UfD5+gw6RlgWYw7If48hl66l7XaAs
        zPw82W3tzPpLQ4zJ1LilYRyyQLYoEt+5+F/+07LJ7z20Hkt8HEyZNp496+ynaF4d
        32duXvsCAwEAAaOCAvcwggLzMA4GA1UdDwEB/wQEAwIBhjCCAcYGA1UdIASCAb0w
        ggG5MIIBtQYLYIZIAYb9bAEDAAIwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3
        LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUH
        AgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQBy
        AHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBj
        AGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAg
        AEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQ
        AGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBt
        AGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBj
        AG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBl
        AHIAZQBuAGMAZQAuMA8GA1UdEwEB/wQFMAMBAf8wNAYIKwYBBQUHAQEEKDAmMCQG
        CCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wgY8GA1UdHwSBhzCB
        hDBAoD6gPIY6aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0SGlnaEFz
        c3VyYW5jZUVWUm9vdENBLmNybDBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQu
        Y29tL0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDAfBgNVHSMEGDAW
        gBSxPsNpA/i/RwHUmCYaCALvY2QrwzAdBgNVHQ4EFgQUUOpzidsp+xCPnuUBINTe
        eZlIg/cwDQYJKoZIhvcNAQEFBQADggEBAF1PhPGoiNOjsrycbeUpSXfh59bcqdg1
        rslx3OXb3J0kIZCmz7cBHJvUV5eR13UWpRLXuT0uiT05aYrWNTf58SHEW0CtWakv
        XzoAKUMncQPkvTAyVab+hA4LmzgZLEN8rEO/dTHlIxxFVbdpCJG1z9fVsV7un5Tk
        1nq5GMO41lJjHBC6iy9tXcwFOPRWBW3vnuzoYTYMFEuFFFoMg08iXFnLjIpx2vrF
        EIRYzwfu45DC9fkpx1ojcflZtGQriLCnNseaIGHr+k61rmsb5OPs4tk8QUmoIKRU
        9ZKNu8BVIASm2LAXFszj0Mi0PeXZhMbT9m5teMl5Q+h6N/9cNUm/ocU=
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        MIIETzCCA7igAwIBAgIEBydYPTANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
        UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
        cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
        b2JhbCBSb290MB4XDTEwMDExMzE5MjAzMloXDTE1MDkzMDE4MTk0N1owbDELMAkG
        A1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRp
        Z2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2UgRVYg
        Um9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm+9S7
        5S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTWPNt0
        OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEMxChB
        VfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFBIk5l
        YYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3hzBW
        BOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsgEsxB
        u24LUTi4S8sCAwEAAaOCAW8wggFrMBIGA1UdEwEB/wQIMAYBAf8CAQEwUwYDVR0g
        BEwwSjBIBgkrBgEEAbE+AQAwOzA5BggrBgEFBQcCARYtaHR0cDovL2N5YmVydHJ1
        c3Qub21uaXJvb3QuY29tL3JlcG9zaXRvcnkuY2ZtMA4GA1UdDwEB/wQEAwIBBjCB
        iQYDVR0jBIGBMH+heaR3MHUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUgQ29y
        cG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNvbHV0aW9ucywgSW5j
        LjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJvb3SCAgGlMEUGA1Ud
        HwQ+MDwwOqA4oDaGNGh0dHA6Ly93d3cucHVibGljLXRydXN0LmNvbS9jZ2ktYmlu
        L0NSTC8yMDE4L2NkcC5jcmwwHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvD
        MA0GCSqGSIb3DQEBBQUAA4GBAC52hdk3lm2vifMGeIIxxEYHH2XJjrPJVHjm0ULf
        dS4eVer3+psEwHV70Xk8Bex5xFLdpgPXp1CZPwVZ2sZV9IacDWejSQSVMh3Hh+yF
        r2Ru1cVfCadAfRa6SQ2i/fbfVTBs13jGuc9YKWQWTKMggUexRJKEFhtvSrwhxgo9
        7TPK
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
        VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
        bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv
        b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV
        UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
        cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
        b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH
        iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS
        r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
        04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
        GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
        3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
        lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
        -----END CERTIFICATE-----
        </file>




        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        The validation error can be consistently reproduced with the following code snippet:

        <code>
        X509Certificate[] chain = ... ; // server certificate chain
        String authType = ...; // the authentication type used by certificate chain
        // The attached example uses "RSA"

        TrustManagerFactory tmf = TrustManagerFactory.getInstance( "SunX509", "SunJSSE" );
        tmf.init( (KeyStore) null );
        TrustManager[] tms = tmf.getTrustManagers();
        for( TrustManager tm : tms ) {
        if( tm instanceof X509TrustManager ) {
        ( (X509TrustManager) tm ).checkServerTrusted( chain, authType );
        }
        </code>


        REPRODUCIBILITY :
        This bug can be reproduced always.

        ---------- BEGIN SOURCE ----------
        The validation error can be consistently reproduced with the following code snippet:

        <code>
        X509Certificate[] chain = ... ; // server certificate chain
        String authType = ...; // the authentication type used by certificate chain
        // The attached example uses "RSA"

        TrustManagerFactory tmf = TrustManagerFactory.getInstance( "SunX509", "SunJSSE" );
        tmf.init( (KeyStore) null );
        TrustManager[] tms = tmf.getTrustManagers();
        for( TrustManager tm : tms ) {
        if( tm instanceof X509TrustManager ) {
        ( (X509TrustManager) tm ).checkServerTrusted( chain, authType );
        }
        </code>
        ---------- END SOURCE ----------

              xuelei Xuelei Fan
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved:
                Imported:
                Indexed: