-
Bug
-
Resolution: Fixed
-
P4
-
8, 9
-
b04
-
generic
-
generic
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8247276 | openjdk8u272 | Alexey Bakhtin | P4 | Resolved | Fixed | b06 |
FULL PRODUCT VERSION :
java version "1.8.0_91"
Java(TM) SE Runtime Environment (build 1.8.0_91-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.91-b14, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux bryan-Lenovo-YOGA-3-Pro-1370 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
EXTRA RELEVANT SYSTEM CONFIGURATION :
CertPath validation of belgian eID certificates
A DESCRIPTION OF THE PROBLEM :
When doing Cert Path Validator with a PKIX Revocation Checker. the list of soft fail is always empty, even when a soft fails occurred.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
* Create a PKIX Revocation Checker
* Set the PKIX Revocation Checker to be soft fail
* Ensure that the OCSP responder and CRL can't be reached (e.g. disactivate network)
* Do a Cert Path Validation with the PKIX Revocation checker on a cert chain that has OCSP and/or CRL specified.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The soft fail exception list should have an exception indicating that "http://wrongocsp.eid.belgium.be" isn't reachable
ACTUAL -
The soft fail exeption list is empty
ERROR MESSAGES/STACK TRACES THAT OCCUR :
certpath: Checking cert3 - Subject: SERIALNUMBER=79021802145, GIVENNAME=Bryan Eduard, SURNAME=Brouckaert, CN=Bryan Brouckaert (Signature), C=BE
certpath: Set of critical extensions: {2.5.29.15}
certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
certpath: -checker3 validation succeeded
certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 3, maxPathLength = 0
certpath: after processing, maxPathLength = 0
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null, newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 3
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 3
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 3
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking timestamp:Wed Jul 20 10:57:07 CEST 2016...
certpath: timestamp verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: SERIALNUMBER=201204, CN=Citizen CA, C=BE; subject: SERIALNUMBER=79021802145, GIVENNAME=Bryan Eduard, SURNAME=Brouckaert, CN=Bryan Brouckaert (Signature), C=BE; serial#: 21267647932559007052436570664840961409
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker]
certpath: RevocationChecker.check: checking cert
SN: 10000000 00004ac4 d43f8300 eae39d81
Subject: SERIALNUMBER=79021802145, GIVENNAME=Bryan Eduard, SURNAME=Brouckaert, CN=Bryan Brouckaert (Signature), C=BE
Issuer: SERIALNUMBER=201204, CN=Citizen CA, C=BE
certpath: connecting to OCSP service at: http://dummy.eid.belgium.be
certpath: RevocationChecker.check() Unable to determine revocation status due to network error
certpath: RevocationChecker.check() preparing to failover
certpath: RevocationChecker.checkCRLs() ---checking revocation status ...
certpath: RevocationChecker.checkCRLs() possible crls.size() = 0
certpath: RevocationChecker.checkCRLs() approved crls.size() = 0
certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for SERIALNUMBER=79021802145, GIVENNAME=Bryan Eduard, SURNAME=Brouckaert, CN=Bryan Brouckaert (Signature), C=BE
certpath: Trying to fetch CRL from DP http://crl.eid.belgium.be/eidc201204.crl
certpath: CertStore URI:http://crl.eid.belgium.be/eidc201204.crl
certpath: Exception fetching CRL:
java.net.SocketTimeoutException: connect timed out
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:211)
at sun.net.www.http.HttpClient.New(HttpClient.java:308)
at sun.net.www.http.HttpClient.New(HttpClient.java:326)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1169)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:933)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1513)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
at sun.security.provider.certpath.URICertStore.engineGetCRLs(URICertStore.java:396)
at java.security.cert.CertStore.getCRLs(CertStore.java:181)
at sun.security.provider.certpath.DistributionPointFetcher.getCRL(DistributionPointFetcher.java:246)
at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:190)
at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:122)
at sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:552)
at sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:465)
at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:394)
at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:337)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at net.atos.saviscio.sign.xmldsig.XmlDSigSignature.verify(XmlDSigSignature.java:179)
at net.atos.saviscio.sign.xmldsig.XmlDSigSignature$MockitoMock$620320071.verify$accessor$zS6Pj66N(Unknown Source)
at net.atos.saviscio.sign.xmldsig.XmlDSigSignature$MockitoMock$620320071$auxiliary$8pfr83ZJ.call(Unknown Source)
at org.mockito.internal.creation.bytebuddy.InterceptedInvocation$SuperMethod$FromCallable.invoke(InterceptedInvocation.java:191)
at org.mockito.internal.creation.bytebuddy.InterceptedInvocation.callRealMethod(InterceptedInvocation.java:128)
at org.mockito.internal.stubbing.answers.CallsRealMethods.answer(CallsRealMethods.java:40)
at org.mockito.Answers.answer(Answers.java:91)
at org.mockito.internal.handler.MockHandlerImpl.handle(MockHandlerImpl.java:98)
at org.mockito.internal.handler.NullResultGuardian.handle(NullResultGuardian.java:32)
at org.mockito.internal.handler.InvocationNotifierHandler.handle(InvocationNotifierHandler.java:38)
at org.mockito.internal.creation.bytebuddy.MockMethodInterceptor.doIntercept(MockMethodInterceptor.java:36)
at org.mockito.internal.creation.bytebuddy.MockMethodInterceptor.access$000(MockMethodInterceptor.java:17)
at org.mockito.internal.creation.bytebuddy.MockMethodInterceptor$DispatcherDefaultingToRealMethod.interceptSuperCallable(MockMethodInterceptor.java:96)
at net.atos.saviscio.sign.xmldsig.XmlDSigSignature$MockitoMock$620320071.verify(Unknown Source)
at net.atos.saviscio.sign.XAdESSignatureService.process(XAdESSignatureService.java:35)
at net.atos.saviscio.sign.XAdESSignatureServiceTest.processGenericXadesBES(XAdESSignatureServiceTest.java:54)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at org.junit.rules.TestWatcher$1.evaluate(TestWatcher.java:55)
at org.junit.rules.RunRules.evaluate(RunRules.java:20)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
at org.mockito.internal.runners.JUnit45AndHigherRunnerImpl.run(JUnit45AndHigherRunnerImpl.java:37)
at org.mockito.runners.MockitoJUnitRunner.run(MockitoJUnitRunner.java:62)
at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:367)
at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:274)
at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:238)
at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:161)
at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:290)
at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:242)
at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:121)
certpath: RevocationChecker.check() failover failed
certpath: RevocationChecker.check() Unable to determine revocation status due to network error
certpath: -checker7 validation succeeded
certpath:
cert3 validation succeeded.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
private static String selfSigned
= "-----BEGIN CERTIFICATE-----\n"
+ "MIIDsTCCApmgAwIBAgIJAOMWI7Hlb+cHMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNV\n"
+ "BAYTAkJFMQwwCgYDVQQIDANPVkwxFDASBgNVBAcMC0RlbmRlcmxlZXV3MRQwEgYD\n"
+ "VQQKDAtFZ2Vsa2UgQlZCQTELMAkGA1UECwwCSVQxGTAXBgNVBAMMEEJyeWFuIEJy\n"
+ "b3Vja2FlcnQwHhcNMTYwNzIwMTI1MzUzWhcNMjYwNzE4MTI1MzUzWjBvMQswCQYD\n"
+ "VQQGEwJCRTEMMAoGA1UECAwDT1ZMMRQwEgYDVQQHDAtEZW5kZXJsZWV1dzEUMBIG\n"
+ "A1UECgwLRWdlbGtlIEJWQkExCzAJBgNVBAsMAklUMRkwFwYDVQQDDBBCcnlhbiBC\n"
+ "cm91Y2thZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnr1n5Zd/\n"
+ "O8Z0hyMwi6xQ90HiPf6LM+KS3sUWnBxSKuXz+SjLCe/6sVGHck9/QahipixjPI8i\n"
+ "JhGFwSbsqbWEE7NR0+sRpL6Ye7a+gpgdPBxtzMh5lnBe1zpi4lbDPBlr8X1nCMNc\n"
+ "QbPYClBgeeRUEnFkS+BSXsUbI25BoJ7qHKAF1vkOBs9wYjTlXVquA7i3i5ixaI51\n"
+ "NPj0Lr7gzk1T0CqbYlME0QNmKs6EQgwudaIPXayBvfGqX5SBEvqg9nHOIX4/VZWI\n"
+ "0PuY0zgJGzpQS/MdP/Y50x1wwEaZ84Yna84DM9AuQDFMMCLbNPjoJjj9KwZubBF3\n"
+ "3xVn7EulXF9lEQIDAQABo1AwTjAdBgNVHQ4EFgQUHruWPgfVtB5UYB8/6/KjW0/x\n"
+ "mEUwHwYDVR0jBBgwFoAUHruWPgfVtB5UYB8/6/KjW0/xmEUwDAYDVR0TBAUwAwEB\n"
+ "/zANBgkqhkiG9w0BAQsFAAOCAQEALlLafpjGU+uzpbxD7qLF42uK6gV7qPdXZ1Pi\n"
+ "hrBdxzqvy+19sIPb61Typs5/YQb0sC+OWhmMiIU4TVHYb94TEzE63XyhvYF11RvN\n"
+ "1jLN0Xe710IMR0VCryuStFgZhvZHMLqabLBI0bRwEY+A2KMUFohLb6agRUnMARjo\n"
+ "GpuPEFAq1weZBJvAWG5KzA7ew+nL0x6Q4CUIE7X+E+VtkTfN06TJ7aqKieYdYL3f\n"
+ "uie8bgw7bglpTqAbDjVEWaKahpvvh4xYpkOqbPTWq9Lxwf47ojiG0XbA6MSFn4x3\n"
+ "hXQcPeOVRkVUwoEekYluRJtnLKPl34xrKQFC8pR2R/brsnxoVQ==\n"
+ "-----END CERTIFICATE-----";
public static void main(String[] args) throws Exception {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(selfSigned.getBytes("UTF-8")));
CertPath certPath = cf.generateCertPath(Collections.singletonList(cert));
TrustAnchor root = new TrustAnchor(cert, null);
CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
PKIXRevocationChecker rc = (PKIXRevocationChecker) certPathValidator.getRevocationChecker();
rc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.SOFT_FAIL));
//URL does not exist ;-)
rc.setOcspResponder(new URI("http://wrongocsp.eid.belgium.be"));
PKIXParameters params = new PKIXParameters(Collections.singleton(root));
params.setRevocationEnabled(true);
params.addCertPathChecker(rc);
certPathValidator.validate(certPath, params);
if (!rc.getSoftFailExceptions().isEmpty()) {
System.err.println("OCSP is down");
} else {
System.out.println("Cert is OK");
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Don't use SOFT_FAIL
java version "1.8.0_91"
Java(TM) SE Runtime Environment (build 1.8.0_91-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.91-b14, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux bryan-Lenovo-YOGA-3-Pro-1370 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
EXTRA RELEVANT SYSTEM CONFIGURATION :
CertPath validation of belgian eID certificates
A DESCRIPTION OF THE PROBLEM :
When doing Cert Path Validator with a PKIX Revocation Checker. the list of soft fail is always empty, even when a soft fails occurred.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
* Create a PKIX Revocation Checker
* Set the PKIX Revocation Checker to be soft fail
* Ensure that the OCSP responder and CRL can't be reached (e.g. disactivate network)
* Do a Cert Path Validation with the PKIX Revocation checker on a cert chain that has OCSP and/or CRL specified.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The soft fail exception list should have an exception indicating that "http://wrongocsp.eid.belgium.be" isn't reachable
ACTUAL -
The soft fail exeption list is empty
ERROR MESSAGES/STACK TRACES THAT OCCUR :
certpath: Checking cert3 - Subject: SERIALNUMBER=79021802145, GIVENNAME=Bryan Eduard, SURNAME=Brouckaert, CN=Bryan Brouckaert (Signature), C=BE
certpath: Set of critical extensions: {2.5.29.15}
certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
certpath: -checker3 validation succeeded
certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 3, maxPathLength = 0
certpath: after processing, maxPathLength = 0
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null, newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 3
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 3
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 3
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking timestamp:Wed Jul 20 10:57:07 CEST 2016...
certpath: timestamp verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: SERIALNUMBER=201204, CN=Citizen CA, C=BE; subject: SERIALNUMBER=79021802145, GIVENNAME=Bryan Eduard, SURNAME=Brouckaert, CN=Bryan Brouckaert (Signature), C=BE; serial#: 21267647932559007052436570664840961409
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker]
certpath: RevocationChecker.check: checking cert
SN: 10000000 00004ac4 d43f8300 eae39d81
Subject: SERIALNUMBER=79021802145, GIVENNAME=Bryan Eduard, SURNAME=Brouckaert, CN=Bryan Brouckaert (Signature), C=BE
Issuer: SERIALNUMBER=201204, CN=Citizen CA, C=BE
certpath: connecting to OCSP service at: http://dummy.eid.belgium.be
certpath: RevocationChecker.check() Unable to determine revocation status due to network error
certpath: RevocationChecker.check() preparing to failover
certpath: RevocationChecker.checkCRLs() ---checking revocation status ...
certpath: RevocationChecker.checkCRLs() possible crls.size() = 0
certpath: RevocationChecker.checkCRLs() approved crls.size() = 0
certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for SERIALNUMBER=79021802145, GIVENNAME=Bryan Eduard, SURNAME=Brouckaert, CN=Bryan Brouckaert (Signature), C=BE
certpath: Trying to fetch CRL from DP http://crl.eid.belgium.be/eidc201204.crl
certpath: CertStore URI:http://crl.eid.belgium.be/eidc201204.crl
certpath: Exception fetching CRL:
java.net.SocketTimeoutException: connect timed out
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:211)
at sun.net.www.http.HttpClient.New(HttpClient.java:308)
at sun.net.www.http.HttpClient.New(HttpClient.java:326)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1169)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1105)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:999)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:933)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1513)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
at sun.security.provider.certpath.URICertStore.engineGetCRLs(URICertStore.java:396)
at java.security.cert.CertStore.getCRLs(CertStore.java:181)
at sun.security.provider.certpath.DistributionPointFetcher.getCRL(DistributionPointFetcher.java:246)
at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:190)
at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:122)
at sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:552)
at sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:465)
at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:394)
at sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:337)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at net.atos.saviscio.sign.xmldsig.XmlDSigSignature.verify(XmlDSigSignature.java:179)
at net.atos.saviscio.sign.xmldsig.XmlDSigSignature$MockitoMock$620320071.verify$accessor$zS6Pj66N(Unknown Source)
at net.atos.saviscio.sign.xmldsig.XmlDSigSignature$MockitoMock$620320071$auxiliary$8pfr83ZJ.call(Unknown Source)
at org.mockito.internal.creation.bytebuddy.InterceptedInvocation$SuperMethod$FromCallable.invoke(InterceptedInvocation.java:191)
at org.mockito.internal.creation.bytebuddy.InterceptedInvocation.callRealMethod(InterceptedInvocation.java:128)
at org.mockito.internal.stubbing.answers.CallsRealMethods.answer(CallsRealMethods.java:40)
at org.mockito.Answers.answer(Answers.java:91)
at org.mockito.internal.handler.MockHandlerImpl.handle(MockHandlerImpl.java:98)
at org.mockito.internal.handler.NullResultGuardian.handle(NullResultGuardian.java:32)
at org.mockito.internal.handler.InvocationNotifierHandler.handle(InvocationNotifierHandler.java:38)
at org.mockito.internal.creation.bytebuddy.MockMethodInterceptor.doIntercept(MockMethodInterceptor.java:36)
at org.mockito.internal.creation.bytebuddy.MockMethodInterceptor.access$000(MockMethodInterceptor.java:17)
at org.mockito.internal.creation.bytebuddy.MockMethodInterceptor$DispatcherDefaultingToRealMethod.interceptSuperCallable(MockMethodInterceptor.java:96)
at net.atos.saviscio.sign.xmldsig.XmlDSigSignature$MockitoMock$620320071.verify(Unknown Source)
at net.atos.saviscio.sign.XAdESSignatureService.process(XAdESSignatureService.java:35)
at net.atos.saviscio.sign.XAdESSignatureServiceTest.processGenericXadesBES(XAdESSignatureServiceTest.java:54)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at org.junit.rules.TestWatcher$1.evaluate(TestWatcher.java:55)
at org.junit.rules.RunRules.evaluate(RunRules.java:20)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
at org.mockito.internal.runners.JUnit45AndHigherRunnerImpl.run(JUnit45AndHigherRunnerImpl.java:37)
at org.mockito.runners.MockitoJUnitRunner.run(MockitoJUnitRunner.java:62)
at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:367)
at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:274)
at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:238)
at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:161)
at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:290)
at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:242)
at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:121)
certpath: RevocationChecker.check() failover failed
certpath: RevocationChecker.check() Unable to determine revocation status due to network error
certpath: -checker7 validation succeeded
certpath:
cert3 validation succeeded.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
private static String selfSigned
= "-----BEGIN CERTIFICATE-----\n"
+ "MIIDsTCCApmgAwIBAgIJAOMWI7Hlb+cHMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNV\n"
+ "BAYTAkJFMQwwCgYDVQQIDANPVkwxFDASBgNVBAcMC0RlbmRlcmxlZXV3MRQwEgYD\n"
+ "VQQKDAtFZ2Vsa2UgQlZCQTELMAkGA1UECwwCSVQxGTAXBgNVBAMMEEJyeWFuIEJy\n"
+ "b3Vja2FlcnQwHhcNMTYwNzIwMTI1MzUzWhcNMjYwNzE4MTI1MzUzWjBvMQswCQYD\n"
+ "VQQGEwJCRTEMMAoGA1UECAwDT1ZMMRQwEgYDVQQHDAtEZW5kZXJsZWV1dzEUMBIG\n"
+ "A1UECgwLRWdlbGtlIEJWQkExCzAJBgNVBAsMAklUMRkwFwYDVQQDDBBCcnlhbiBC\n"
+ "cm91Y2thZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnr1n5Zd/\n"
+ "O8Z0hyMwi6xQ90HiPf6LM+KS3sUWnBxSKuXz+SjLCe/6sVGHck9/QahipixjPI8i\n"
+ "JhGFwSbsqbWEE7NR0+sRpL6Ye7a+gpgdPBxtzMh5lnBe1zpi4lbDPBlr8X1nCMNc\n"
+ "QbPYClBgeeRUEnFkS+BSXsUbI25BoJ7qHKAF1vkOBs9wYjTlXVquA7i3i5ixaI51\n"
+ "NPj0Lr7gzk1T0CqbYlME0QNmKs6EQgwudaIPXayBvfGqX5SBEvqg9nHOIX4/VZWI\n"
+ "0PuY0zgJGzpQS/MdP/Y50x1wwEaZ84Yna84DM9AuQDFMMCLbNPjoJjj9KwZubBF3\n"
+ "3xVn7EulXF9lEQIDAQABo1AwTjAdBgNVHQ4EFgQUHruWPgfVtB5UYB8/6/KjW0/x\n"
+ "mEUwHwYDVR0jBBgwFoAUHruWPgfVtB5UYB8/6/KjW0/xmEUwDAYDVR0TBAUwAwEB\n"
+ "/zANBgkqhkiG9w0BAQsFAAOCAQEALlLafpjGU+uzpbxD7qLF42uK6gV7qPdXZ1Pi\n"
+ "hrBdxzqvy+19sIPb61Typs5/YQb0sC+OWhmMiIU4TVHYb94TEzE63XyhvYF11RvN\n"
+ "1jLN0Xe710IMR0VCryuStFgZhvZHMLqabLBI0bRwEY+A2KMUFohLb6agRUnMARjo\n"
+ "GpuPEFAq1weZBJvAWG5KzA7ew+nL0x6Q4CUIE7X+E+VtkTfN06TJ7aqKieYdYL3f\n"
+ "uie8bgw7bglpTqAbDjVEWaKahpvvh4xYpkOqbPTWq9Lxwf47ojiG0XbA6MSFn4x3\n"
+ "hXQcPeOVRkVUwoEekYluRJtnLKPl34xrKQFC8pR2R/brsnxoVQ==\n"
+ "-----END CERTIFICATE-----";
public static void main(String[] args) throws Exception {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(selfSigned.getBytes("UTF-8")));
CertPath certPath = cf.generateCertPath(Collections.singletonList(cert));
TrustAnchor root = new TrustAnchor(cert, null);
CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
PKIXRevocationChecker rc = (PKIXRevocationChecker) certPathValidator.getRevocationChecker();
rc.setOptions(EnumSet.of(PKIXRevocationChecker.Option.SOFT_FAIL));
//URL does not exist ;-)
rc.setOcspResponder(new URI("http://wrongocsp.eid.belgium.be"));
PKIXParameters params = new PKIXParameters(Collections.singleton(root));
params.setRevocationEnabled(true);
params.addCertPathChecker(rc);
certPathValidator.validate(certPath, params);
if (!rc.getSoftFailExceptions().isEmpty()) {
System.err.println("OCSP is down");
} else {
System.out.println("Cert is OK");
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Don't use SOFT_FAIL
- backported by
-
JDK-8247276 Backport JDK-8161973
-
- Resolved
-
- duplicates
-
-
- Closed
-