-
Bug
-
Resolution: Fixed
-
P2
-
9
-
b64
-
b82
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8142040 | emb-9 | Artem Smotrakov | P2 | Resolved | Fixed | team |
Certpath validation fails with the following error (with -Djava.security.debug=certpath):
certpath: LDAPCertStore.engineGetCertificates() basicConstraints: 0
certpath: LDAPCertStore.engineGetCertificates() subject is not null
certpath: LDAPCertStore.engineGetCertificates() after getMatchingCrossCerts(subject,xsel,null),certs.size(): 0
certpath: LDAPCertStore.engineGetCertificates() after getCertificates(subject,CA_CERT,xsel),certs.size(): 0
certpath: LDAPCertStore.engineGetCertificates() about to getMatchingCrossCerts...
certpath: LDAPCertStore.engineGetCertificates() returning certs
certpath: CertStore URI:ldap://betty.nist.gov/dc=BasicLDAPURISubSubCA7,dc=testcertificates,dc=gov?cACertificate;binary,crossCertificatePair;binary
certpath: exception creating CertStore: java.security.InvalidAlgorithmParameterException: parameters must be either LDAPCertStoreParameters or URICertStoreParameters
java.security.InvalidAlgorithmParameterException: parameters must be either LDAPCertStoreParameters or URICertStoreParameters
at sun.security.provider.certpath.ldap.LDAPCertStore.<init>(LDAPCertStore.java:139)
at sun.security.provider.certpath.ldap.JdkLDAP$ProviderService.newInstance(JdkLDAP.java:61)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:243)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:190)
at java.security.cert.CertStore.getInstance(CertStore.java:228)
at sun.security.provider.certpath.URICertStore.<init>(URICertStore.java:168)
at sun.security.provider.certpath.URICertStore.getInstance(URICertStore.java:190)
at sun.security.provider.certpath.URICertStore.getInstance(URICertStore.java:216)
at sun.security.provider.certpath.ForwardBuilder.getCerts(ForwardBuilder.java:376)
at sun.security.provider.certpath.ForwardBuilder.getMatchingCACerts(ForwardBuilder.java:345)
at sun.security.provider.certpath.ForwardBuilder.getMatchingCerts(ForwardBuilder.java:133)
at sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward(SunCertPathBuilder.java:263)
at sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward(SunCertPathBuilder.java:527)
at sun.security.provider.certpath.SunCertPathBuilder.buildForward(SunCertPathBuilder.java:225)
at sun.security.provider.certpath.SunCertPathBuilder.buildCertPath(SunCertPathBuilder.java:160)
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:131)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at TestSuite.runTest(TestSuite.java:530)
at TestSuite.main(TestSuite.java:507)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:504)
at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:92)
at java.lang.Thread.run(Thread.java:746)
This happens because LDAPCertStore accepts only LDAPCertStoreParameters and URICertStoreParameters:
http://hg.openjdk.java.net/jdk9/dev/jdk/file/facea01d6b68/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java#l113
...
if (params instanceof LDAPCertStoreParameters) {
...
} else if (params instanceof URICertStoreParameters) {
...
} else {
throw new InvalidAlgorithmParameterException(
"parameters must be either LDAPCertStoreParameters or " +
"URICertStoreParameters");
}
...
But sun.security.provider.certpath.URICertStore uses an inner static URICertStoreParameters class:
http://hg.openjdk.java.net/jdk9/dev/jdk/file/facea01d6b68/src/java.base/share/classes/sun/security/provider/certpath/URICertStore.java#l214
...
try {
return URICertStore.getInstance
(new URICertStore.URICertStoreParameters(uri));
} catch (Exception ex) {
if (debug != null) {
debug.println("exception creating CertStore: " + ex);
ex.printStackTrace();
}
return null;
}
...
The same thing with DistributionPointFetcher:
http://hg.openjdk.java.net/jdk9/dev/jdk/file/facea01d6b68/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java#l235
...
try {
ucs = URICertStore.getInstance
(new URICertStore.URICertStoreParameters(uri));
} catch (InvalidAlgorithmParameterException |
NoSuchAlgorithmException e) {
if (debug != null) {
debug.println("Can't create URICertStore: " + e.getMessage());
}
return null;
}
...
As a result, certs and CRLs can't be loaded over LDAP. This may be considered as a regression ofJDK-8038084 that introduced public java.security.cert.URICertStoreParameters, but URICertStore and DistributionPointFetcher still use URICertStore.URICertStoreParameters.
Test cases 4.1.2.18 and 4.1.2.19 from NIST Discovery Test Suite [1] fail due to this problem because certs have links to LDAP stores in AIA and CRLDP extensions. These test cases pass with JDK 9 b64 which doesn't haveJDK-8038084.
I suppose URICertStore.URICertStoreParameters class is not needed anymore. This issue may be fixed by updating URICertStore and DistributionPointFetcher to use new java.security.cert.URICertStoreParameters:
http://cr.openjdk.java.net/~asmotrak/8134708/webrev.00/
[1] http://csrc.nist.gov/groups/ST/crypto_apps_infra/documents/PathDiscoveryTestSuite.pdf
certpath: LDAPCertStore.engineGetCertificates() basicConstraints: 0
certpath: LDAPCertStore.engineGetCertificates() subject is not null
certpath: LDAPCertStore.engineGetCertificates() after getMatchingCrossCerts(subject,xsel,null),certs.size(): 0
certpath: LDAPCertStore.engineGetCertificates() after getCertificates(subject,CA_CERT,xsel),certs.size(): 0
certpath: LDAPCertStore.engineGetCertificates() about to getMatchingCrossCerts...
certpath: LDAPCertStore.engineGetCertificates() returning certs
certpath: CertStore URI:ldap://betty.nist.gov/dc=BasicLDAPURISubSubCA7,dc=testcertificates,dc=gov?cACertificate;binary,crossCertificatePair;binary
certpath: exception creating CertStore: java.security.InvalidAlgorithmParameterException: parameters must be either LDAPCertStoreParameters or URICertStoreParameters
java.security.InvalidAlgorithmParameterException: parameters must be either LDAPCertStoreParameters or URICertStoreParameters
at sun.security.provider.certpath.ldap.LDAPCertStore.<init>(LDAPCertStore.java:139)
at sun.security.provider.certpath.ldap.JdkLDAP$ProviderService.newInstance(JdkLDAP.java:61)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:243)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:190)
at java.security.cert.CertStore.getInstance(CertStore.java:228)
at sun.security.provider.certpath.URICertStore.<init>(URICertStore.java:168)
at sun.security.provider.certpath.URICertStore.getInstance(URICertStore.java:190)
at sun.security.provider.certpath.URICertStore.getInstance(URICertStore.java:216)
at sun.security.provider.certpath.ForwardBuilder.getCerts(ForwardBuilder.java:376)
at sun.security.provider.certpath.ForwardBuilder.getMatchingCACerts(ForwardBuilder.java:345)
at sun.security.provider.certpath.ForwardBuilder.getMatchingCerts(ForwardBuilder.java:133)
at sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward(SunCertPathBuilder.java:263)
at sun.security.provider.certpath.SunCertPathBuilder.depthFirstSearchForward(SunCertPathBuilder.java:527)
at sun.security.provider.certpath.SunCertPathBuilder.buildForward(SunCertPathBuilder.java:225)
at sun.security.provider.certpath.SunCertPathBuilder.buildCertPath(SunCertPathBuilder.java:160)
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:131)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at TestSuite.runTest(TestSuite.java:530)
at TestSuite.main(TestSuite.java:507)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:504)
at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:92)
at java.lang.Thread.run(Thread.java:746)
This happens because LDAPCertStore accepts only LDAPCertStoreParameters and URICertStoreParameters:
http://hg.openjdk.java.net/jdk9/dev/jdk/file/facea01d6b68/src/java.naming/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java#l113
...
if (params instanceof LDAPCertStoreParameters) {
...
} else if (params instanceof URICertStoreParameters) {
...
} else {
throw new InvalidAlgorithmParameterException(
"parameters must be either LDAPCertStoreParameters or " +
"URICertStoreParameters");
}
...
But sun.security.provider.certpath.URICertStore uses an inner static URICertStoreParameters class:
http://hg.openjdk.java.net/jdk9/dev/jdk/file/facea01d6b68/src/java.base/share/classes/sun/security/provider/certpath/URICertStore.java#l214
...
try {
return URICertStore.getInstance
(new URICertStore.URICertStoreParameters(uri));
} catch (Exception ex) {
if (debug != null) {
debug.println("exception creating CertStore: " + ex);
ex.printStackTrace();
}
return null;
}
...
The same thing with DistributionPointFetcher:
http://hg.openjdk.java.net/jdk9/dev/jdk/file/facea01d6b68/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java#l235
...
try {
ucs = URICertStore.getInstance
(new URICertStore.URICertStoreParameters(uri));
} catch (InvalidAlgorithmParameterException |
NoSuchAlgorithmException e) {
if (debug != null) {
debug.println("Can't create URICertStore: " + e.getMessage());
}
return null;
}
...
As a result, certs and CRLs can't be loaded over LDAP. This may be considered as a regression of
Test cases 4.1.2.18 and 4.1.2.19 from NIST Discovery Test Suite [1] fail due to this problem because certs have links to LDAP stores in AIA and CRLDP extensions. These test cases pass with JDK 9 b64 which doesn't have
I suppose URICertStore.URICertStoreParameters class is not needed anymore. This issue may be fixed by updating URICertStore and DistributionPointFetcher to use new java.security.cert.URICertStoreParameters:
http://cr.openjdk.java.net/~asmotrak/8134708/webrev.00/
[1] http://csrc.nist.gov/groups/ST/crypto_apps_infra/documents/PathDiscoveryTestSuite.pdf
- backported by
-
JDK-8142040 Certpath validation fails to load certs and CRLs if AIA and CRLDP extensions point to LDAP resources
-
- Resolved
-
- relates to
-
-
- Closed
-