-
Sub-task
-
Resolution: Fixed
-
P4
-
11, 14, 15
-
b08
-
generic
-
generic
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8238243 | 14.0.2 | Matthias Baesken | P4 | Resolved | Fixed | b01 |
| JDK-8238486 | 14.0.1 | Matthias Baesken | P4 | Resolved | Fixed | b03 |
| JDK-8246321 | 13.0.4 | Matthias Baesken | P4 | Resolved | Fixed | b04 |
| JDK-8238618 | 11.0.7 | Matthias Baesken | P4 | Resolved | Fixed | b03 |
The test "security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java" sometimes fails when validating the “validity interval” of OCSP responses :
Example output is like :
certpath: OCSP response validity interval is from Wed Dec 04 01:05:27 CET 2019
certpath: Checking validity of OCSP response on: Wed Dec 04 01:39:15 CET 2019 <--------- default interval is system time “on” machine +/- 15 minutes , this is seen as valid by OpenJDK
…
java.lang.RuntimeException: TEST FAILED: couldn't determine EE certificate status
at ValidatePathWithParams.validate(ValidatePathWithParams.java:177)
at LuxTrustCA.main(LuxTrustCA.java:186)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
at java.base/java.lang.Thread.run(Thread.java:832)
stdout contains :
Received exception: java.security.cert.CertPathValidatorException: Response is unreliable: its validity interval is out-of-date
The test should be excluded until the instabilities are resolved.
Comment from Sean Mullan on security-dev :
"However, there is no nextUpdate field set, which means there should be always newer information available. So while the 5 minute delay may not be a huge issue, the fact that they are returning cached responses, looks like a problem to me.
This could be the underlying problem, in that they are not generating fresh OCSPResponses. I will contact LuxTrust and see if we can get some information from them."
See also this discussion thread on security-dev:
https://mail.openjdk.java.net/pipermail/security-dev/2020-January/021144.html
Example output is like :
certpath: OCSP response validity interval is from Wed Dec 04 01:05:27 CET 2019
certpath: Checking validity of OCSP response on: Wed Dec 04 01:39:15 CET 2019 <--------- default interval is system time “on” machine +/- 15 minutes , this is seen as valid by OpenJDK
…
java.lang.RuntimeException: TEST FAILED: couldn't determine EE certificate status
at ValidatePathWithParams.validate(ValidatePathWithParams.java:177)
at LuxTrustCA.main(LuxTrustCA.java:186)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
at java.base/java.lang.Thread.run(Thread.java:832)
stdout contains :
Received exception: java.security.cert.CertPathValidatorException: Response is unreliable: its validity interval is out-of-date
The test should be excluded until the instabilities are resolved.
Comment from Sean Mullan on security-dev :
"However, there is no nextUpdate field set, which means there should be always newer information available. So while the 5 minute delay may not be a huge issue, the fact that they are returning cached responses, looks like a problem to me.
This could be the underlying problem, in that they are not generating fresh OCSPResponses. I will contact LuxTrust and see if we can get some information from them."
See also this discussion thread on security-dev:
https://mail.openjdk.java.net/pipermail/security-dev/2020-January/021144.html
- backported by
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-