Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8237888 security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java fails when checking validity interval
  3. JDK-8237869

exclude jtreg test security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java because of instabilities

XMLWordPrintable

    • b08
    • generic
    • generic

        The test "security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java" sometimes fails when validating the “validity interval” of OCSP responses :
        Example output is like :
         
        certpath: OCSP response validity interval is from Wed Dec 04 01:05:27 CET 2019
        certpath: Checking validity of OCSP response on: Wed Dec 04 01:39:15 CET 2019 <--------- default interval is system time “on” machine +/- 15 minutes , this is seen as valid by OpenJDK
          …
        java.lang.RuntimeException: TEST FAILED: couldn't determine EE certificate status
                        at ValidatePathWithParams.validate(ValidatePathWithParams.java:177)
                        at LuxTrustCA.main(LuxTrustCA.java:186)
                        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
                        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                        at java.base/java.lang.reflect.Method.invoke(Method.java:564)
                        at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
                        at java.base/java.lang.Thread.run(Thread.java:832)
         
         
        stdout contains :
        Received exception: java.security.cert.CertPathValidatorException: Response is unreliable: its validity interval is out-of-date

        The test should be excluded until the instabilities are resolved.
        Comment from Sean Mullan on security-dev :
        "However, there is no nextUpdate field set, which means there should be always newer information available. So while the 5 minute delay may not be a huge issue, the fact that they are returning cached responses, looks like a problem to me.
        This could be the underlying problem, in that they are not generating fresh OCSPResponses. I will contact LuxTrust and see if we can get some information from them."


        See also this discussion thread on security-dev:
        https://mail.openjdk.java.net/pipermail/security-dev/2020-January/021144.html

              mbaesken Matthias Baesken
              mbaesken Matthias Baesken
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: