b130 JCG PIT test failure. In this build, we change the code about how to find the proper certificate issuer and the trust anchor. Yes, the update does impact the test. The cause for the failure is that the keyUsage of the self-signed cert exists but does not contain keyCertSign. This was allowed before but rejected now. The test should be updated to accomodate this behavior change. > > The case looks like this: > > 1. A self-signed cert with keyUsage Crl_Sign. It's added as a trust anchor. > > 2. Itself is also a single-length CertPath > > 3. This CertPath cannot be validated now. > > Exception in thread "main" java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors > at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:208) > at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279) > at A5.main(A5.java:32) > > It could be validated in jdk7b128. > > Test program and cert included below. > > -------------------------------------------------------------------------------- > > $ cat /tmp/badku > -----BEGIN CERTIFICATE----- > MIICijCCAkigAwIBAgIEL+/4OjALBgcqhkjOOAQDBQAwEDEOMAwGA1UEAxMFYmFka3UwHhcNMTEw > MjExMDEzMDE3WhcNMTIwMjExMDEzMDE3WjAQMQ4wDAYDVQQDEwViYWRrdTCCAbgwggEsBgcqhkjO > OAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1 > ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMC > NVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXW > mz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozI > puE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtV > JWQBTDv+z0kqA4GFAAKBgQDHLNiVIpcJCfKXBi+WZpwjLHqD02Cw25l+eFyLFmWDCZnNPUkEol72 > OqxzxD8jjqL9IaCPYs5g8+jsKVmNvK+pkP5g81o0IM4fa/Zs1SBBsrs+sEB8Jcrx9fWqd7zjzSkq > S7TXRKxKES8tDjtYU591vnVgQe2bIcbomXSVhCZe06MuMCwwHQYDVR0OBBYEFAugl1vU8x5Ebay8 > 6IestTZBtjwKMAsGA1UdDwQEAwIBAjALBgcqhkjOOAQDBQADLwAwLAIUQWFg/hPbiMaNzKgH1i7x > vjiTaU0CFDhmp3+Y1/1crKtJ3ZxnQdX1sRZw > -----END CERTIFICATE----- > > > import java.io.FileInputStream; > import java.security.cert.*; > import java.util.*; > > public class A5 { > > public static void main(String[] args) throws Exception { > CertificateFactory cf = CertificateFactory.getInstance("X509"); > CertPathValidator validator = CertPathValidator.getInstance("PKIX"); > List<Certificate> certs = new ArrayList<>(); > for (Certificate c: cf.generateCertificates(new FileInputStream("/tmp/badku"))) { > certs.add(c); > }; > CertPath cp = cf.generateCertPath(certs); > PKIXParameters pkixParameters; > Set<TrustAnchor> tas = new HashSet<>(); > tas.add(new TrustAnchor((X509Certificate) (certs.get(0)), null)); > pkixParameters = new PKIXParameters(tas); > pkixParameters.setRevocationEnabled(false); > validator.validate(cp, pkixParameters); > } > }
|