Details
-
Bug
-
Resolution: Duplicate
-
P2
-
7, 8
Description
The test setup is similar to one described in JDK-7168191. When run with JDK 8, the test always failed to verify OCSP.
This is what test does:
1. It has two intermediate CAs, CA1 and CA2, with same subject in as trust anchor
2. OpenSSL OCSP responder is started with OCSP certificate issued by CA2
3. Java OCSP client tries to verify EE certificate issued by CA1 against this OCSP
Test run with:
java version "1.8.0-ea"
Java(TM) SE Runtime Environment (build 1.8.0-ea-b85)
Java HotSpot(TM) 64-Bit Server VM (build 25.0-b26, mixed mode)
Results seen:
The validation always fails but exception thrown is not consistent, sometime first exception is returned and sometimes other one. I see two types of exception thrown:
-------------------------------------------------------------
Got an exception:
java.security.cert.CertPathValidatorException: signature check failed
TEST_RESULT: FAIL
java.security.cert.CertPathValidatorException: signature check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:129)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:210)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:143)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at TestOCSP.run(TestOCSP.java:216)
at TestOCSP.main(TestOCSP.java:57)
Caused by: java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:448)
at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166)
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:119)
... 6 more
-------------------------------------------------------------
and the second one:
-------------------------------------------------------------
Got an exception:
java.security.cert.CertPathValidatorException: Unable to verify OCSP Response's signature
TEST_RESULT: FAIL
java.security.cert.CertPathValidatorException: Unable to verify OCSP Response's signature
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:129)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:210)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:143)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at TestOCSP.run(TestOCSP.java:216)
at TestOCSP.main(TestOCSP.java:57)
-------------------------------------------------------------
This is what test does:
1. It has two intermediate CAs, CA1 and CA2, with same subject in as trust anchor
2. OpenSSL OCSP responder is started with OCSP certificate issued by CA2
3. Java OCSP client tries to verify EE certificate issued by CA1 against this OCSP
Test run with:
java version "1.8.0-ea"
Java(TM) SE Runtime Environment (build 1.8.0-ea-b85)
Java HotSpot(TM) 64-Bit Server VM (build 25.0-b26, mixed mode)
Results seen:
The validation always fails but exception thrown is not consistent, sometime first exception is returned and sometimes other one. I see two types of exception thrown:
-------------------------------------------------------------
Got an exception:
java.security.cert.CertPathValidatorException: signature check failed
TEST_RESULT: FAIL
java.security.cert.CertPathValidatorException: signature check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:129)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:210)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:143)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at TestOCSP.run(TestOCSP.java:216)
at TestOCSP.main(TestOCSP.java:57)
Caused by: java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:448)
at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166)
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:119)
... 6 more
-------------------------------------------------------------
and the second one:
-------------------------------------------------------------
Got an exception:
java.security.cert.CertPathValidatorException: Unable to verify OCSP Response's signature
TEST_RESULT: FAIL
java.security.cert.CertPathValidatorException: Unable to verify OCSP Response's signature
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:129)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:210)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:143)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at TestOCSP.run(TestOCSP.java:216)
at TestOCSP.main(TestOCSP.java:57)
-------------------------------------------------------------