-
Bug
-
Resolution: Fixed
-
P3
-
6u18, 6u31
-
b40
-
x86
-
windows_xp, windows_2008
-
Verified
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-2224247 | 7u6 | Xuelei Fan | P3 | Closed | Fixed | b12 |
JDK-2224306 | 6u34 | Sean Coffey | P3 | Closed | Fixed | b03 |
JDK-2224305 | OpenJDK6 | Sean Coffey | P3 | Closed | Cannot Reproduce |
FULL PRODUCT VERSION :
A DESCRIPTION OF THE PROBLEM :
Recently the JSSE certificate validation has started to fail for certificate chains advertised by well known sites, namely https://mail.yahoo.com and https://foursquare.com.
Here is the exception stack trace:
sun.security.validator.ValidatorException: Violated path length constraints
at sun.security.validator.SimpleValidator.checkBasicConstraints(SimpleValidator.java:262)
at sun.security.validator.SimpleValidator.checkExtensions(SimpleValidator.java:169)
at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:154)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
I've inspected the certificate chains, and in all cases, the basic constraint has a valid value.
Is there a known bug in JSSE that does not handle basic constraint properly?
I've reviewed the online version of source code for [SimpleValidator|http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Modules-sun/security/sun/security/validator/SimpleValidator.java.htm] however that version seems to be not consistent with latest JRE 6 update (30).
The validation error can be consistently reproduced with the following code snippet:
<code>
X509Certificate[] chain = ... ; // server certificate chain
String authType = ...; // the authentication type used by certificate chain
// The attached example uses "RSA"
TrustManagerFactory tmf = TrustManagerFactory.getInstance( "SunX509", "SunJSSE" );
tmf.init( (KeyStore) null );
TrustManager[] tms = tmf.getTrustManagers();
for( TrustManager tm : tms ) {
if( tm instanceof X509TrustManager ) {
( (X509TrustManager) tm ).checkServerTrusted( chain, authType );
}
</code>
For convenience, I'm including the PEM certificate chain that failed verification and the code to load that chain into JSSE:
=============================================
<code>
String certFilePath = ... ; // a path to a PEM encoded certificate chain
InputStream fis = new FileInputStream( new File( certFilePath ) );
CertificateFactory cf = CertificateFactory.getInstance( "X.509" );
Collection< ? extends Certificate > certChain = cf.generateCertificates( fis );
X509Certificate[] chain = new X509Certificate[ certChain.size() ];
int i = 0;
for( Certificate cert : certChain ) {
chain[ i++ ] = (X509Certificate) cert;
}
</code>
============================
Certificate chain from https://mail.yahoo.com
============================
<file>
-----BEGIN CERTIFICATE-----
MIIGOzCCBSOgAwIBAgIQD1hJQVLDNUtt6+cgnnJuZzANBgkqhkiG9w0BAQUFADBm
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBDQS0zMB4XDTEwMTIyMTAwMDAwMFoXDTEzMDEwMzIzNTk1OVowXjELMAkGA1UE
BhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxFDASBgNVBAoU
C1lhaG9vISBJbmMuMRgwFgYDVQQDEw9sb2dpbi55YWhvby5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBALTxKoODwdPNbM4FrhBYCsIJVm/EtiqQxgHZFBcR
FR8jAKUTXG2rMlkgiAoDp5duez+omwAoULLt9UlRVe6NqBuDxjDcniUeMYyudwzi
ua5EzZGKFryr8kyfhrKz15V4HwDBI1weDHmLDSwuU2jKpUTR1b2jid3o/B95Fd1Z
aUTZAgMBAAGjggNvMIIDazAfBgNVHSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD
9zAdBgNVHQ4EFgQUZwtdzLsVHOGRRhaepLJCXmrYCWMwPgYDVR0RBDcwNYIPbG9n
aW4ueWFob28uY29tgg5tYWlsLnlhaG9vLmNvbYISb3ZpLm1haWwueWFob28uY29t
MHsGCCsGAQUFBwEBBG8wbTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNl
cnQuY29tMEUGCCsGAQUFBzAChjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20v
RGlnaUNlcnRIaWdoQXNzdXJhbmNlQ0EtMy5jcnQwDgYDVR0PAQH/BAQDAgWgMAwG
A1UdEwEB/wQCMAAwZQYDVR0fBF4wXDAsoCqgKIYmaHR0cDovL2NybDMuZGlnaWNl
cnQuY29tL2NhMy0yMDEwaS5jcmwwLKAqoCiGJmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0
LmNvbS9jYTMtMjAxMGkuY3JsMIIBxgYDVR0gBIIBvTCCAbkwggG1BgtghkgBhv1s
AQMAATCCAaQwOgYIKwYBBQUHAgEWLmh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL3Nz
bC1jcHMtcmVwb3NpdG9yeS5odG0wggFkBggrBgEFBQcCAjCCAVYeggFSAEEAbgB5
ACAAdQBzAGUAIABvAGYAIAB0AGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABl
ACAAYwBvAG4AcwB0AGkAdAB1AHQAZQBzACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAg
AG8AZgAgAHQAaABlACAARABpAGcAaQBDAGUAcgB0ACAAQwBQAC8AQwBQAFMAIABh
AG4AZAAgAHQAaABlACAAUgBlAGwAeQBpAG4AZwAgAFAAYQByAHQAeQAgAEEAZwBy
AGUAZQBtAGUAbgB0ACAAdwBoAGkAYwBoACAAbABpAG0AaQB0ACAAbABpAGEAYgBp
AGwAaQB0AHkAIABhAG4AZAAgAGEAcgBlACAAaQBuAGMAbwByAHAAbwByAGEAdABl
AGQAIABoAGUAcgBlAGkAbgAgAGIAeQAgAHIAZQBmAGUAcgBlAG4AYwBlAC4wHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQBa
Ykl7g9l5hQQzV7XtIdpuNZrTLlJ5y1JUg/GmEbZ7b1kHhBErnibJ3VxgUxA1WUoC
SowYMxCv6E3no+AVe/dJsT3uORihPYyBYM1ST1cto3W/LN2oFCmVQ+PPO7Xje9NE
ZzcHOGHKIBDpA+mggT/Rypntbp9gZX3vuZ51ewxWmfm6w+s17G8kC8gVEyaxtTtV
EEJJquWwLQm5IonuGzMfT93ajAY04aNrJSUg4tzwlsBM6opebNP51jvr2xwecV22
YFFWlT2IK/Hgt5sShRLF87RfM/gfjSCi8g3a0p3CbXeBigaypv/MEGUkcWkfGxwn
fPjh72mmPGC70nR7ikji
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGVTCCBT2gAwIBAgIQCFH5WYFBRcq94CTiEsnCDjANBgkqhkiG9w0BAQUFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTA3MDQwMzAwMDAwMFoXDTIyMDQwMzAwMDAwMFowZjEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTElMCMGA1UEAxMcRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
Q0EtMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9hCikQH17+NDdR
CPge+yLtYb4LDXBMUGMmdRW5QYiXtvCgFbsIYOBC6AUpEIc2iihlqO8xB3RtNpcv
KEZmBMcqeSZ6mdWOw21PoF6tvD2Rwll7XjZswFPPAAgyPhBkWBATaccM7pxCUQD5
BUTuJM56H+2MEb0SqPMV9Bx6MWkBG6fmXcCabH4JnudSREoQOiPkm7YDr6ictFuf
1EutkozOtREqqjcYjbTCuNhcBoz4/yO9NV7UfD5+gw6RlgWYw7If48hl66l7XaAs
zPw82W3tzPpLQ4zJ1LilYRyyQLYoEt+5+F/+07LJ7z20Hkt8HEyZNp496+ynaF4d
32duXvsCAwEAAaOCAvcwggLzMA4GA1UdDwEB/wQEAwIBhjCCAcYGA1UdIASCAb0w
ggG5MIIBtQYLYIZIAYb9bAEDAAIwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3
LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUH
AgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQBy
AHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBj
AGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAg
AEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQ
AGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBt
AGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBj
AG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBl
AHIAZQBuAGMAZQAuMA8GA1UdEwEB/wQFMAMBAf8wNAYIKwYBBQUHAQEEKDAmMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wgY8GA1UdHwSBhzCB
hDBAoD6gPIY6aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0SGlnaEFz
c3VyYW5jZUVWUm9vdENBLmNybDBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQu
Y29tL0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDAfBgNVHSMEGDAW
gBSxPsNpA/i/RwHUmCYaCALvY2QrwzAdBgNVHQ4EFgQUUOpzidsp+xCPnuUBINTe
eZlIg/cwDQYJKoZIhvcNAQEFBQADggEBAF1PhPGoiNOjsrycbeUpSXfh59bcqdg1
rslx3OXb3J0kIZCmz7cBHJvUV5eR13UWpRLXuT0uiT05aYrWNTf58SHEW0CtWakv
XzoAKUMncQPkvTAyVab+hA4LmzgZLEN8rEO/dTHlIxxFVbdpCJG1z9fVsV7un5Tk
1nq5GMO41lJjHBC6iy9tXcwFOPRWBW3vnuzoYTYMFEuFFFoMg08iXFnLjIpx2vrF
EIRYzwfu45DC9fkpx1ojcflZtGQriLCnNseaIGHr+k61rmsb5OPs4tk8QUmoIKRU
9ZKNu8BVIASm2LAXFszj0Mi0PeXZhMbT9m5teMl5Q+h6N/9cNUm/ocU=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIETzCCA7igAwIBAgIEBydYPTANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MB4XDTEwMDExMzE5MjAzMloXDTE1MDkzMDE4MTk0N1owbDELMAkG
A1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRp
Z2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2UgRVYg
Um9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm+9S7
5S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTWPNt0
OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEMxChB
VfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFBIk5l
YYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3hzBW
BOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsgEsxB
u24LUTi4S8sCAwEAAaOCAW8wggFrMBIGA1UdEwEB/wQIMAYBAf8CAQEwUwYDVR0g
BEwwSjBIBgkrBgEEAbE+AQAwOzA5BggrBgEFBQcCARYtaHR0cDovL2N5YmVydHJ1
c3Qub21uaXJvb3QuY29tL3JlcG9zaXRvcnkuY2ZtMA4GA1UdDwEB/wQEAwIBBjCB
iQYDVR0jBIGBMH+heaR3MHUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUgQ29y
cG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNvbHV0aW9ucywgSW5j
LjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJvb3SCAgGlMEUGA1Ud
HwQ+MDwwOqA4oDaGNGh0dHA6Ly93d3cucHVibGljLXRydXN0LmNvbS9jZ2ktYmlu
L0NSTC8yMDE4L2NkcC5jcmwwHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvD
MA0GCSqGSIb3DQEBBQUAA4GBAC52hdk3lm2vifMGeIIxxEYHH2XJjrPJVHjm0ULf
dS4eVer3+psEwHV70Xk8Bex5xFLdpgPXp1CZPwVZ2sZV9IacDWejSQSVMh3Hh+yF
r2Ru1cVfCadAfRa6SQ2i/fbfVTBs13jGuc9YKWQWTKMggUexRJKEFhtvSrwhxgo9
7TPK
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv
b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH
iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS
r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
-----END CERTIFICATE-----
</file>
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
The validation error can be consistently reproduced with the following code snippet:
<code>
X509Certificate[] chain = ... ; // server certificate chain
String authType = ...; // the authentication type used by certificate chain
// The attached example uses "RSA"
TrustManagerFactory tmf = TrustManagerFactory.getInstance( "SunX509", "SunJSSE" );
tmf.init( (KeyStore) null );
TrustManager[] tms = tmf.getTrustManagers();
for( TrustManager tm : tms ) {
if( tm instanceof X509TrustManager ) {
( (X509TrustManager) tm ).checkServerTrusted( chain, authType );
}
</code>
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
The validation error can be consistently reproduced with the following code snippet:
<code>
X509Certificate[] chain = ... ; // server certificate chain
String authType = ...; // the authentication type used by certificate chain
// The attached example uses "RSA"
TrustManagerFactory tmf = TrustManagerFactory.getInstance( "SunX509", "SunJSSE" );
tmf.init( (KeyStore) null );
TrustManager[] tms = tmf.getTrustManagers();
for( TrustManager tm : tms ) {
if( tm instanceof X509TrustManager ) {
( (X509TrustManager) tm ).checkServerTrusted( chain, authType );
}
</code>
---------- END SOURCE ----------
A DESCRIPTION OF THE PROBLEM :
Recently the JSSE certificate validation has started to fail for certificate chains advertised by well known sites, namely https://mail.yahoo.com and https://foursquare.com.
Here is the exception stack trace:
sun.security.validator.ValidatorException: Violated path length constraints
at sun.security.validator.SimpleValidator.checkBasicConstraints(SimpleValidator.java:262)
at sun.security.validator.SimpleValidator.checkExtensions(SimpleValidator.java:169)
at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:154)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
I've inspected the certificate chains, and in all cases, the basic constraint has a valid value.
Is there a known bug in JSSE that does not handle basic constraint properly?
I've reviewed the online version of source code for [SimpleValidator|http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Modules-sun/security/sun/security/validator/SimpleValidator.java.htm] however that version seems to be not consistent with latest JRE 6 update (30).
The validation error can be consistently reproduced with the following code snippet:
<code>
X509Certificate[] chain = ... ; // server certificate chain
String authType = ...; // the authentication type used by certificate chain
// The attached example uses "RSA"
TrustManagerFactory tmf = TrustManagerFactory.getInstance( "SunX509", "SunJSSE" );
tmf.init( (KeyStore) null );
TrustManager[] tms = tmf.getTrustManagers();
for( TrustManager tm : tms ) {
if( tm instanceof X509TrustManager ) {
( (X509TrustManager) tm ).checkServerTrusted( chain, authType );
}
</code>
For convenience, I'm including the PEM certificate chain that failed verification and the code to load that chain into JSSE:
=============================================
<code>
String certFilePath = ... ; // a path to a PEM encoded certificate chain
InputStream fis = new FileInputStream( new File( certFilePath ) );
CertificateFactory cf = CertificateFactory.getInstance( "X.509" );
Collection< ? extends Certificate > certChain = cf.generateCertificates( fis );
X509Certificate[] chain = new X509Certificate[ certChain.size() ];
int i = 0;
for( Certificate cert : certChain ) {
chain[ i++ ] = (X509Certificate) cert;
}
</code>
============================
Certificate chain from https://mail.yahoo.com
============================
<file>
-----BEGIN CERTIFICATE-----
MIIGOzCCBSOgAwIBAgIQD1hJQVLDNUtt6+cgnnJuZzANBgkqhkiG9w0BAQUFADBm
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBDQS0zMB4XDTEwMTIyMTAwMDAwMFoXDTEzMDEwMzIzNTk1OVowXjELMAkGA1UE
BhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxFDASBgNVBAoU
C1lhaG9vISBJbmMuMRgwFgYDVQQDEw9sb2dpbi55YWhvby5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBALTxKoODwdPNbM4FrhBYCsIJVm/EtiqQxgHZFBcR
FR8jAKUTXG2rMlkgiAoDp5duez+omwAoULLt9UlRVe6NqBuDxjDcniUeMYyudwzi
ua5EzZGKFryr8kyfhrKz15V4HwDBI1weDHmLDSwuU2jKpUTR1b2jid3o/B95Fd1Z
aUTZAgMBAAGjggNvMIIDazAfBgNVHSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD
9zAdBgNVHQ4EFgQUZwtdzLsVHOGRRhaepLJCXmrYCWMwPgYDVR0RBDcwNYIPbG9n
aW4ueWFob28uY29tgg5tYWlsLnlhaG9vLmNvbYISb3ZpLm1haWwueWFob28uY29t
MHsGCCsGAQUFBwEBBG8wbTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNl
cnQuY29tMEUGCCsGAQUFBzAChjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20v
RGlnaUNlcnRIaWdoQXNzdXJhbmNlQ0EtMy5jcnQwDgYDVR0PAQH/BAQDAgWgMAwG
A1UdEwEB/wQCMAAwZQYDVR0fBF4wXDAsoCqgKIYmaHR0cDovL2NybDMuZGlnaWNl
cnQuY29tL2NhMy0yMDEwaS5jcmwwLKAqoCiGJmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0
LmNvbS9jYTMtMjAxMGkuY3JsMIIBxgYDVR0gBIIBvTCCAbkwggG1BgtghkgBhv1s
AQMAATCCAaQwOgYIKwYBBQUHAgEWLmh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL3Nz
bC1jcHMtcmVwb3NpdG9yeS5odG0wggFkBggrBgEFBQcCAjCCAVYeggFSAEEAbgB5
ACAAdQBzAGUAIABvAGYAIAB0AGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABl
ACAAYwBvAG4AcwB0AGkAdAB1AHQAZQBzACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAg
AG8AZgAgAHQAaABlACAARABpAGcAaQBDAGUAcgB0ACAAQwBQAC8AQwBQAFMAIABh
AG4AZAAgAHQAaABlACAAUgBlAGwAeQBpAG4AZwAgAFAAYQByAHQAeQAgAEEAZwBy
AGUAZQBtAGUAbgB0ACAAdwBoAGkAYwBoACAAbABpAG0AaQB0ACAAbABpAGEAYgBp
AGwAaQB0AHkAIABhAG4AZAAgAGEAcgBlACAAaQBuAGMAbwByAHAAbwByAGEAdABl
AGQAIABoAGUAcgBlAGkAbgAgAGIAeQAgAHIAZQBmAGUAcgBlAG4AYwBlAC4wHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQBa
Ykl7g9l5hQQzV7XtIdpuNZrTLlJ5y1JUg/GmEbZ7b1kHhBErnibJ3VxgUxA1WUoC
SowYMxCv6E3no+AVe/dJsT3uORihPYyBYM1ST1cto3W/LN2oFCmVQ+PPO7Xje9NE
ZzcHOGHKIBDpA+mggT/Rypntbp9gZX3vuZ51ewxWmfm6w+s17G8kC8gVEyaxtTtV
EEJJquWwLQm5IonuGzMfT93ajAY04aNrJSUg4tzwlsBM6opebNP51jvr2xwecV22
YFFWlT2IK/Hgt5sShRLF87RfM/gfjSCi8g3a0p3CbXeBigaypv/MEGUkcWkfGxwn
fPjh72mmPGC70nR7ikji
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGVTCCBT2gAwIBAgIQCFH5WYFBRcq94CTiEsnCDjANBgkqhkiG9w0BAQUFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTA3MDQwMzAwMDAwMFoXDTIyMDQwMzAwMDAwMFowZjEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTElMCMGA1UEAxMcRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
Q0EtMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9hCikQH17+NDdR
CPge+yLtYb4LDXBMUGMmdRW5QYiXtvCgFbsIYOBC6AUpEIc2iihlqO8xB3RtNpcv
KEZmBMcqeSZ6mdWOw21PoF6tvD2Rwll7XjZswFPPAAgyPhBkWBATaccM7pxCUQD5
BUTuJM56H+2MEb0SqPMV9Bx6MWkBG6fmXcCabH4JnudSREoQOiPkm7YDr6ictFuf
1EutkozOtREqqjcYjbTCuNhcBoz4/yO9NV7UfD5+gw6RlgWYw7If48hl66l7XaAs
zPw82W3tzPpLQ4zJ1LilYRyyQLYoEt+5+F/+07LJ7z20Hkt8HEyZNp496+ynaF4d
32duXvsCAwEAAaOCAvcwggLzMA4GA1UdDwEB/wQEAwIBhjCCAcYGA1UdIASCAb0w
ggG5MIIBtQYLYIZIAYb9bAEDAAIwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3
LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUH
AgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQBy
AHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBj
AGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAg
AEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQ
AGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBt
AGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBj
AG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBl
AHIAZQBuAGMAZQAuMA8GA1UdEwEB/wQFMAMBAf8wNAYIKwYBBQUHAQEEKDAmMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wgY8GA1UdHwSBhzCB
hDBAoD6gPIY6aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0SGlnaEFz
c3VyYW5jZUVWUm9vdENBLmNybDBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQu
Y29tL0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDAfBgNVHSMEGDAW
gBSxPsNpA/i/RwHUmCYaCALvY2QrwzAdBgNVHQ4EFgQUUOpzidsp+xCPnuUBINTe
eZlIg/cwDQYJKoZIhvcNAQEFBQADggEBAF1PhPGoiNOjsrycbeUpSXfh59bcqdg1
rslx3OXb3J0kIZCmz7cBHJvUV5eR13UWpRLXuT0uiT05aYrWNTf58SHEW0CtWakv
XzoAKUMncQPkvTAyVab+hA4LmzgZLEN8rEO/dTHlIxxFVbdpCJG1z9fVsV7un5Tk
1nq5GMO41lJjHBC6iy9tXcwFOPRWBW3vnuzoYTYMFEuFFFoMg08iXFnLjIpx2vrF
EIRYzwfu45DC9fkpx1ojcflZtGQriLCnNseaIGHr+k61rmsb5OPs4tk8QUmoIKRU
9ZKNu8BVIASm2LAXFszj0Mi0PeXZhMbT9m5teMl5Q+h6N/9cNUm/ocU=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIETzCCA7igAwIBAgIEBydYPTANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MB4XDTEwMDExMzE5MjAzMloXDTE1MDkzMDE4MTk0N1owbDELMAkG
A1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRp
Z2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2UgRVYg
Um9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm+9S7
5S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTWPNt0
OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEMxChB
VfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFBIk5l
YYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3hzBW
BOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsgEsxB
u24LUTi4S8sCAwEAAaOCAW8wggFrMBIGA1UdEwEB/wQIMAYBAf8CAQEwUwYDVR0g
BEwwSjBIBgkrBgEEAbE+AQAwOzA5BggrBgEFBQcCARYtaHR0cDovL2N5YmVydHJ1
c3Qub21uaXJvb3QuY29tL3JlcG9zaXRvcnkuY2ZtMA4GA1UdDwEB/wQEAwIBBjCB
iQYDVR0jBIGBMH+heaR3MHUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUgQ29y
cG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNvbHV0aW9ucywgSW5j
LjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJvb3SCAgGlMEUGA1Ud
HwQ+MDwwOqA4oDaGNGh0dHA6Ly93d3cucHVibGljLXRydXN0LmNvbS9jZ2ktYmlu
L0NSTC8yMDE4L2NkcC5jcmwwHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvD
MA0GCSqGSIb3DQEBBQUAA4GBAC52hdk3lm2vifMGeIIxxEYHH2XJjrPJVHjm0ULf
dS4eVer3+psEwHV70Xk8Bex5xFLdpgPXp1CZPwVZ2sZV9IacDWejSQSVMh3Hh+yF
r2Ru1cVfCadAfRa6SQ2i/fbfVTBs13jGuc9YKWQWTKMggUexRJKEFhtvSrwhxgo9
7TPK
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYD
VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv
bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv
b3QwHhcNOTgwODEzMDAyOTAwWhcNMTgwODEzMjM1OTAwWjB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCVD6C28FCc6HrH
iM3dFw4usJTQGz0O9pTAipTHBsiQl8i4ZBp6fmw8U+E3KHNgf7KXUwefU/ltWJTS
r41tiGeA5u2ylc9yMcqlHHK6XALnZELn+aks1joNrI1CqiQBOeacPwGFVw1Yh0X4
04Wqk2kmhXBIgD8SFcd5tB8FLztimQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG3r
GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
-----END CERTIFICATE-----
</file>
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
The validation error can be consistently reproduced with the following code snippet:
<code>
X509Certificate[] chain = ... ; // server certificate chain
String authType = ...; // the authentication type used by certificate chain
// The attached example uses "RSA"
TrustManagerFactory tmf = TrustManagerFactory.getInstance( "SunX509", "SunJSSE" );
tmf.init( (KeyStore) null );
TrustManager[] tms = tmf.getTrustManagers();
for( TrustManager tm : tms ) {
if( tm instanceof X509TrustManager ) {
( (X509TrustManager) tm ).checkServerTrusted( chain, authType );
}
</code>
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
The validation error can be consistently reproduced with the following code snippet:
<code>
X509Certificate[] chain = ... ; // server certificate chain
String authType = ...; // the authentication type used by certificate chain
// The attached example uses "RSA"
TrustManagerFactory tmf = TrustManagerFactory.getInstance( "SunX509", "SunJSSE" );
tmf.init( (KeyStore) null );
TrustManager[] tms = tmf.getTrustManagers();
for( TrustManager tm : tms ) {
if( tm instanceof X509TrustManager ) {
( (X509TrustManager) tm ).checkServerTrusted( chain, authType );
}
</code>
---------- END SOURCE ----------
- backported by
-
JDK-2224247 JSSE certificate validation has started to fail for certificate chains
-
- Closed
-
-
JDK-2224305 JSSE certificate validation has started to fail for certificate chains
-
- Closed
-
-
JDK-2224306 JSSE certificate validation has started to fail for certificate chains
-
- Closed
-
- duplicates
-
JDK-6923697 SimpleValidator doesn't allow intermediate CA certificate with PathLen:1'
-
- Closed
-