Details
-
Bug
-
Resolution: Fixed
-
P4
-
10
-
b01
Backports
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8208968 | 8u201 | Ivan Gerasimov | P4 | Resolved | Fixed | b01 |
| JDK-8204185 | 8u192 | Ivan Gerasimov | P4 | Resolved | Fixed | b01 |
| JDK-8216870 | emb-8u201 | Ivan Gerasimov | P4 | Resolved | Fixed | master |
| JDK-8209900 | 7u211 | Ivan Gerasimov | P4 | Resolved | Fixed | b01 |
Description
#section:main
----------messages:(4/228)----------
command: main -Djava.security.debug=certpath TLSRestrictions S8
reason: User specified action: run main/othervm -Djava.security.debug=certpath TLSRestrictions S8
Mode: othervm [/othervm specified]
elapsed time (seconds): 1.705
----------configuration:(0/0)----------
----------System.out:(206/15994)----------
Case:
trustNames=ROOT_CA_SHA256; certNames=END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256,INTER_CA_SHA1-ROOT_CA_SHA256
serverConstraint=SHA1 usage TLSClient; clientConstraint=MD2, MD5
needClientAuth=true
pass=false
Server: Old jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
Server: New jdk.certpath.disabledAlgorithms=SHA1 usage TLSClient
Server: port=58472
Server: started
Command line: [/scratch/opt/mach5/mesos/work_dir/jib-master/install/jdk10-master.174/linux-x64.jdk/jdk-10/bin/java -cp /scratch/opt/mach5/mesos/work_dir/slaves/7aed79a7-ea87-4caa-8895-f1d7e69bb48e-S4076/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/7fce4e10-08a1-4962-a860-b1c050a3670f/runs/f14e8a1b-1516-4594-b825-1daeb746c70d/testoutput/jtreg/JTwork/classes/4/sun/security/ssl/CertPathRestrictions/TLSRestrictions.d:/scratch/opt/mach5/mesos/work_dir/jib-master/install/jdk10-master.174/src.full/open/test/jdk/sun/security/ssl/CertPathRestrictions:/scratch/opt/mach5/mesos/work_dir/slaves/7aed79a7-ea87-4caa-8895-f1d7e69bb48e-S4076/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/7fce4e10-08a1-4962-a860-b1c050a3670f/runs/f14e8a1b-1516-4594-b825-1daeb746c70d/testoutput/jtreg/JTwork/classes/4/test/lib:/scratch/opt/mach5/mesos/work_dir/jib-master/install/jdk10-master.174/src.full/open/test/lib:/scratch/opt/mach5/mesos/work_dir/jib-master/install/com/oracle/java/jib/jib/3.0-SNAPSHOT/jib-3.0-SNAPSHOT-distribution.zip/jib-3.0-SNAPSHOT-distribution/lib/jib-3.0-SNAPSHOT.jar:/scratch/opt/mach5/mesos/work_dir/jib-master/install/java/re/jtreg/4.2/promoted/all/b08/bundles/jtreg_bin-4.2.zip/jtreg/lib/javatest.jar:/scratch/opt/mach5/mesos/work_dir/jib-master/install/java/re/jtreg/4.2/promoted/all/b08/bundles/jtreg_bin-4.2.zip/jtreg/lib/jtreg.jar -ea -esa -Xmx512m -Dcert.dir=/scratch/opt/mach5/mesos/work_dir/jib-master/install/jdk10-master.174/src.full/open/test/jdk/sun/security/ssl/CertPathRestrictions/certs -Djava.security.debug=certpath -classpath /scratch/opt/mach5/mesos/work_dir/slaves/7aed79a7-ea87-4caa-8895-f1d7e69bb48e-S4076/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/7fce4e10-08a1-4962-a860-b1c050a3670f/runs/f14e8a1b-1516-4594-b825-1daeb746c70d/testoutput/jtreg/JTwork/classes/4/sun/security/ssl/CertPathRestrictions/TLSRestrictions.d JSSEClient 58472 ROOT_CA_SHA256 END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256,INTER_CA_SHA1-ROOT_CA_SHA256 MD2, MD5 ]
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSClient check failed: SHA1 used with certificate: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US. Usage was tls client
at java.base/sun.security.ssl.Alerts.getSSLException(Alerts.java:198)
at java.base/sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974)
at java.base/sun.security.ssl.Handshaker.fatalSE(Handshaker.java:319)
at java.base/sun.security.ssl.Handshaker.fatalSE(Handshaker.java:313)
at java.base/sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:2120)
at java.base/sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:249)
at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1072)
at java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1000)
at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137)
at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074)
at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
at java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402)
at java.base/sun.security.ssl.SSLSocketImpl.bytesInCompletePacket(SSLSocketImpl.java:907)
at java.base/sun.security.ssl.AppInputStream.read(AppInputStream.java:144)
at java.base/sun.security.ssl.AppInputStream.read(AppInputStream.java:84)
at JSSEServer$1.run(JSSEServer.java:63)
at java.base/java.lang.Thread.run(Thread.java:844)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSClient check failed: SHA1 used with certificate: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US. Usage was tls client
at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:343)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:226)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:127)
at java.base/sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:2102)
... 12 more
Caused by: java.security.cert.CertPathValidatorException: Usage constraint TLSClient check failed: SHA1 used with certificate: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US. Usage was tls client
at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:223)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345)
... 18 more
Caused by: java.security.cert.CertPathValidatorException: Usage constraint TLSClient check failed: SHA1 used with certificate: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US. Usage was tls client
at java.base/sun.security.util.DisabledAlgorithmConstraints$UsageConstraint.permits(DisabledAlgorithmConstraints.java:739)
at java.base/sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(DisabledAlgorithmConstraints.java:419)
at java.base/sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:167)
at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:326)
at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
... 23 more
---------- Client output start ----------
Client: arguments=58472; ROOT_CA_SHA256; END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256,INTER_CA_SHA1-ROOT_CA_SHA256; MD2, MD5
Client: Old jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
Client: New jdk.certpath.disabledAlgorithms=MD2, MD5
Client: connected
certpath: Constraints: SSLv3
certpath: Constraints: RC4
certpath: Constraints: MD5withRSA
certpath: Constraints: DH keySize < 1024
certpath: Constraints set to keySize: keySize < 1024
certpath: Constraints: EC keySize < 224
certpath: Constraints set to keySize: keySize < 224
certpath: Constraints: MD2
certpath: Constraints: MD5
certpath: Constraints: MD2
certpath: Constraints: MD5
certpath: TrustAnchor is null, trustedMatch is false.
certpath: PKIXCertPathValidator.engineValidate()...
certpath: X509CertSelector.match(SN: a3529d826fddc61d
Issuer: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US
Subject: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US)
certpath: X509CertSelector.match returning: true
certpath: YES - try this trustedCert
certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 - Subject: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US
certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: Constraints.permits(): SHA1withRSA Variant: tls server
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage...
certpath: -checker3 validation succeeded
certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 1, maxPathLength = 2
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null, newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 1
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOT
certpath: PolicyChecker.processPolicies() no policies present in cert
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking validity:Fri Oct 20 07:56:53 PDT 2017...
certpath: validity verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US; subject: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US; serial#: 9557043154290660301
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: Constraints.permits(): SHA1withRSA Variant: tls server
certpath: -checker7 validation succeeded
certpath:
cert1 validation succeeded.
certpath: Checking cert2 - Subject: CN=END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256-PRIV, OU=Java, O=Org, L=City, ST=CA, C=US
certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: Constraints.permits(): SHA256withRSA Variant: tls server
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
certpath: -checker3 validation succeeded
certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 2, maxPathLength = 1
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null, newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = null
certpath: PolicyChecker.processPolicies() no policies present in cert
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking validity:Fri Oct 20 07:56:53 PDT 2017...
certpath: validity verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US; subject: CN=END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256-PRIV, OU=Java, O=Org, L=City, ST=CA, C=US; serial#: 11454861092401349589
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: Constraints.permits(): SHA256withRSA Variant: tls server
certpath: -checker7 validation succeeded
certpath:
cert2 validation succeeded.
certpath: Cert path validation succeeded. (PKIX validation algorithm)
certpath: --------------------------------------------------------------
certpath: KeySizeConstraints.permits(): EC
certpath: TrustAnchor is null, trustedMatch is false.
certpath: Constraints.permits(): SHA1withRSA Variant: tls client
certpath: Constraints.permits(): SHA256withRSA Variant: tls client
Exception in thread "main" java.lang.RuntimeException: Client: failed.
at JSSEClient.main(JSSEClient.java:63)
Caused by: java.net.SocketException: Broken pipe (Write failed)
at java.base/java.net.SocketOutputStream.socketWrite0(Native Method)
at java.base/java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:111)
at java.base/java.net.SocketOutputStream.write(SocketOutputStream.java:155)
at java.base/sun.security.ssl.SSLSocketOutputRecord.encodeChangeCipherSpec(SSLSocketOutputRecord.java:205)
at java.base/sun.security.ssl.OutputRecord.changeWriteCiphers(OutputRecord.java:163)
at java.base/sun.security.ssl.SSLSocketImpl.changeWriteCiphers(SSLSocketImpl.java:2114)
at java.base/sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1175)
at java.base/sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1356)
at java.base/sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1260)
at java.base/sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:418)
at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1072)
at java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1000)
at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137)
at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074)
at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
at java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402)
at java.base/sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:733)
at java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:67)
at java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:81)
at JSSEClient.main(JSSEClient.java:58)
---------- Client output end ----------
----------System.err:(57/3203)----------
certpath: Constraints: SSLv3
certpath: Constraints: RC4
certpath: Constraints: MD5withRSA
certpath: Constraints: DH keySize < 1024
certpath: Constraints set to keySize: keySize < 1024
certpath: Constraints: EC keySize < 224
certpath: Constraints set to keySize: keySize < 224
certpath: Constraints: MD2
certpath: Constraints: MD5
certpath: Constraints: SHA1 jdkCA & usage TLSServer
certpath: Constraints set to jdkCA.
certpath: Constraints usage length is 1
certpath: Constraints: RSA keySize < 1024
certpath: Constraints set to keySize: keySize < 1024
certpath: Constraints: DSA keySize < 1024
certpath: Constraints set to keySize: keySize < 1024
certpath: Constraints: EC keySize < 224
certpath: Constraints set to keySize: keySize < 224
certpath: Constraints: SHA1 usage TLSClient
certpath: Constraints usage length is 1
certpath: TrustAnchor is null, trustedMatch is false.
certpath: Constraints.permits(): SHA1withRSA Variant: tls server
certpath: Checking if usage constraint "tls client" matches "tls server"
certpath: KeySizeConstraints.permits(): RSA
certpath: Constraints.permits(): SHA256withRSA Variant: tls server
certpath: KeySizeConstraints.permits(): RSA
certpath: KeySizeConstraints.permits(): RSA
certpath: TrustAnchor is null, trustedMatch is false.
certpath: PKIXCertPathValidator.engineValidate()...
certpath: X509CertSelector.match(SN: a3529d826fddc61d
Issuer: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US
Subject: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US)
certpath: X509CertSelector.match returning: true
certpath: YES - try this trustedCert
certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 - Subject: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US
certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: Constraints.permits(): SHA1withRSA Variant: tls client
certpath: Checking if usage constraint "tls client" matches "tls client"
java.lang.RuntimeException: Failure with unexpected exception.
at TLSRestrictions.testConstraint(TLSRestrictions.java:270)
at TLSRestrictions.main(TLSRestrictions.java:483)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:115)
at java.base/java.lang.Thread.run(Thread.java:844)
JavaTest Message: Test threw exception: java.lang.RuntimeException: Failure with unexpected exception.
JavaTest Message: shutting down test
STATUS:Failed.`main' threw exception: java.lang.RuntimeException: Failure with unexpected exception.
----------messages:(4/228)----------
command: main -Djava.security.debug=certpath TLSRestrictions S8
reason: User specified action: run main/othervm -Djava.security.debug=certpath TLSRestrictions S8
Mode: othervm [/othervm specified]
elapsed time (seconds): 1.705
----------configuration:(0/0)----------
----------System.out:(206/15994)----------
Case:
trustNames=ROOT_CA_SHA256; certNames=END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256,INTER_CA_SHA1-ROOT_CA_SHA256
serverConstraint=SHA1 usage TLSClient; clientConstraint=MD2, MD5
needClientAuth=true
pass=false
Server: Old jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
Server: New jdk.certpath.disabledAlgorithms=SHA1 usage TLSClient
Server: port=58472
Server: started
Command line: [/scratch/opt/mach5/mesos/work_dir/jib-master/install/jdk10-master.174/linux-x64.jdk/jdk-10/bin/java -cp /scratch/opt/mach5/mesos/work_dir/slaves/7aed79a7-ea87-4caa-8895-f1d7e69bb48e-S4076/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/7fce4e10-08a1-4962-a860-b1c050a3670f/runs/f14e8a1b-1516-4594-b825-1daeb746c70d/testoutput/jtreg/JTwork/classes/4/sun/security/ssl/CertPathRestrictions/TLSRestrictions.d:/scratch/opt/mach5/mesos/work_dir/jib-master/install/jdk10-master.174/src.full/open/test/jdk/sun/security/ssl/CertPathRestrictions:/scratch/opt/mach5/mesos/work_dir/slaves/7aed79a7-ea87-4caa-8895-f1d7e69bb48e-S4076/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/7fce4e10-08a1-4962-a860-b1c050a3670f/runs/f14e8a1b-1516-4594-b825-1daeb746c70d/testoutput/jtreg/JTwork/classes/4/test/lib:/scratch/opt/mach5/mesos/work_dir/jib-master/install/jdk10-master.174/src.full/open/test/lib:/scratch/opt/mach5/mesos/work_dir/jib-master/install/com/oracle/java/jib/jib/3.0-SNAPSHOT/jib-3.0-SNAPSHOT-distribution.zip/jib-3.0-SNAPSHOT-distribution/lib/jib-3.0-SNAPSHOT.jar:/scratch/opt/mach5/mesos/work_dir/jib-master/install/java/re/jtreg/4.2/promoted/all/b08/bundles/jtreg_bin-4.2.zip/jtreg/lib/javatest.jar:/scratch/opt/mach5/mesos/work_dir/jib-master/install/java/re/jtreg/4.2/promoted/all/b08/bundles/jtreg_bin-4.2.zip/jtreg/lib/jtreg.jar -ea -esa -Xmx512m -Dcert.dir=/scratch/opt/mach5/mesos/work_dir/jib-master/install/jdk10-master.174/src.full/open/test/jdk/sun/security/ssl/CertPathRestrictions/certs -Djava.security.debug=certpath -classpath /scratch/opt/mach5/mesos/work_dir/slaves/7aed79a7-ea87-4caa-8895-f1d7e69bb48e-S4076/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/7fce4e10-08a1-4962-a860-b1c050a3670f/runs/f14e8a1b-1516-4594-b825-1daeb746c70d/testoutput/jtreg/JTwork/classes/4/sun/security/ssl/CertPathRestrictions/TLSRestrictions.d JSSEClient 58472 ROOT_CA_SHA256 END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256,INTER_CA_SHA1-ROOT_CA_SHA256 MD2, MD5 ]
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSClient check failed: SHA1 used with certificate: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US. Usage was tls client
at java.base/sun.security.ssl.Alerts.getSSLException(Alerts.java:198)
at java.base/sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974)
at java.base/sun.security.ssl.Handshaker.fatalSE(Handshaker.java:319)
at java.base/sun.security.ssl.Handshaker.fatalSE(Handshaker.java:313)
at java.base/sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:2120)
at java.base/sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:249)
at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1072)
at java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1000)
at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137)
at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074)
at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
at java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402)
at java.base/sun.security.ssl.SSLSocketImpl.bytesInCompletePacket(SSLSocketImpl.java:907)
at java.base/sun.security.ssl.AppInputStream.read(AppInputStream.java:144)
at java.base/sun.security.ssl.AppInputStream.read(AppInputStream.java:84)
at JSSEServer$1.run(JSSEServer.java:63)
at java.base/java.lang.Thread.run(Thread.java:844)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSClient check failed: SHA1 used with certificate: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US. Usage was tls client
at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:343)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:226)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:127)
at java.base/sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:2102)
... 12 more
Caused by: java.security.cert.CertPathValidatorException: Usage constraint TLSClient check failed: SHA1 used with certificate: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US. Usage was tls client
at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:223)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345)
... 18 more
Caused by: java.security.cert.CertPathValidatorException: Usage constraint TLSClient check failed: SHA1 used with certificate: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US. Usage was tls client
at java.base/sun.security.util.DisabledAlgorithmConstraints$UsageConstraint.permits(DisabledAlgorithmConstraints.java:739)
at java.base/sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(DisabledAlgorithmConstraints.java:419)
at java.base/sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:167)
at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:326)
at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
... 23 more
---------- Client output start ----------
Client: arguments=58472; ROOT_CA_SHA256; END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256,INTER_CA_SHA1-ROOT_CA_SHA256; MD2, MD5
Client: Old jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
Client: New jdk.certpath.disabledAlgorithms=MD2, MD5
Client: connected
certpath: Constraints: SSLv3
certpath: Constraints: RC4
certpath: Constraints: MD5withRSA
certpath: Constraints: DH keySize < 1024
certpath: Constraints set to keySize: keySize < 1024
certpath: Constraints: EC keySize < 224
certpath: Constraints set to keySize: keySize < 224
certpath: Constraints: MD2
certpath: Constraints: MD5
certpath: Constraints: MD2
certpath: Constraints: MD5
certpath: TrustAnchor is null, trustedMatch is false.
certpath: PKIXCertPathValidator.engineValidate()...
certpath: X509CertSelector.match(SN: a3529d826fddc61d
Issuer: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US
Subject: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US)
certpath: X509CertSelector.match returning: true
certpath: YES - try this trustedCert
certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 - Subject: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US
certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: Constraints.permits(): SHA1withRSA Variant: tls server
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage...
certpath: -checker3 validation succeeded
certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 1, maxPathLength = 2
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null, newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 1
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOT
certpath: PolicyChecker.processPolicies() no policies present in cert
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking validity:Fri Oct 20 07:56:53 PDT 2017...
certpath: validity verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US; subject: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US; serial#: 9557043154290660301
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: Constraints.permits(): SHA1withRSA Variant: tls server
certpath: -checker7 validation succeeded
certpath:
cert1 validation succeeded.
certpath: Checking cert2 - Subject: CN=END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256-PRIV, OU=Java, O=Org, L=City, ST=CA, C=US
certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: Constraints.permits(): SHA256withRSA Variant: tls server
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
certpath: -checker3 validation succeeded
certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 2, maxPathLength = 1
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null, newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = null
certpath: PolicyChecker.processPolicies() no policies present in cert
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking validity:Fri Oct 20 07:56:53 PDT 2017...
certpath: validity verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US; subject: CN=END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256-PRIV, OU=Java, O=Org, L=City, ST=CA, C=US; serial#: 11454861092401349589
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: Constraints.permits(): SHA256withRSA Variant: tls server
certpath: -checker7 validation succeeded
certpath:
cert2 validation succeeded.
certpath: Cert path validation succeeded. (PKIX validation algorithm)
certpath: --------------------------------------------------------------
certpath: KeySizeConstraints.permits(): EC
certpath: TrustAnchor is null, trustedMatch is false.
certpath: Constraints.permits(): SHA1withRSA Variant: tls client
certpath: Constraints.permits(): SHA256withRSA Variant: tls client
Exception in thread "main" java.lang.RuntimeException: Client: failed.
at JSSEClient.main(JSSEClient.java:63)
Caused by: java.net.SocketException: Broken pipe (Write failed)
at java.base/java.net.SocketOutputStream.socketWrite0(Native Method)
at java.base/java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:111)
at java.base/java.net.SocketOutputStream.write(SocketOutputStream.java:155)
at java.base/sun.security.ssl.SSLSocketOutputRecord.encodeChangeCipherSpec(SSLSocketOutputRecord.java:205)
at java.base/sun.security.ssl.OutputRecord.changeWriteCiphers(OutputRecord.java:163)
at java.base/sun.security.ssl.SSLSocketImpl.changeWriteCiphers(SSLSocketImpl.java:2114)
at java.base/sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1175)
at java.base/sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1356)
at java.base/sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1260)
at java.base/sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:418)
at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1072)
at java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1000)
at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137)
at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074)
at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
at java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402)
at java.base/sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:733)
at java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:67)
at java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:81)
at JSSEClient.main(JSSEClient.java:58)
---------- Client output end ----------
----------System.err:(57/3203)----------
certpath: Constraints: SSLv3
certpath: Constraints: RC4
certpath: Constraints: MD5withRSA
certpath: Constraints: DH keySize < 1024
certpath: Constraints set to keySize: keySize < 1024
certpath: Constraints: EC keySize < 224
certpath: Constraints set to keySize: keySize < 224
certpath: Constraints: MD2
certpath: Constraints: MD5
certpath: Constraints: SHA1 jdkCA & usage TLSServer
certpath: Constraints set to jdkCA.
certpath: Constraints usage length is 1
certpath: Constraints: RSA keySize < 1024
certpath: Constraints set to keySize: keySize < 1024
certpath: Constraints: DSA keySize < 1024
certpath: Constraints set to keySize: keySize < 1024
certpath: Constraints: EC keySize < 224
certpath: Constraints set to keySize: keySize < 224
certpath: Constraints: SHA1 usage TLSClient
certpath: Constraints usage length is 1
certpath: TrustAnchor is null, trustedMatch is false.
certpath: Constraints.permits(): SHA1withRSA Variant: tls server
certpath: Checking if usage constraint "tls client" matches "tls server"
certpath: KeySizeConstraints.permits(): RSA
certpath: Constraints.permits(): SHA256withRSA Variant: tls server
certpath: KeySizeConstraints.permits(): RSA
certpath: KeySizeConstraints.permits(): RSA
certpath: TrustAnchor is null, trustedMatch is false.
certpath: PKIXCertPathValidator.engineValidate()...
certpath: X509CertSelector.match(SN: a3529d826fddc61d
Issuer: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US
Subject: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US)
certpath: X509CertSelector.match returning: true
certpath: YES - try this trustedCert
certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 - Subject: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US
certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: Constraints.permits(): SHA1withRSA Variant: tls client
certpath: Checking if usage constraint "tls client" matches "tls client"
java.lang.RuntimeException: Failure with unexpected exception.
at TLSRestrictions.testConstraint(TLSRestrictions.java:270)
at TLSRestrictions.main(TLSRestrictions.java:483)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:115)
at java.base/java.lang.Thread.run(Thread.java:844)
JavaTest Message: Test threw exception: java.lang.RuntimeException: Failure with unexpected exception.
JavaTest Message: shutting down test
STATUS:Failed.`main' threw exception: java.lang.RuntimeException: Failure with unexpected exception.
Attachments
Issue Links
- backported by
-
JDK-8204185 sun/security/ssl/CertPathRestrictions/TLSRestrictions.java failed with unexpected Exception intermittently
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- relates to
-
JDK-8165367 Additional tests for JEP 288: Disable SHA-1 Certificates
-
- Resolved
-
- links to
(1 links to)