Bug ID: JDK-6885667 CertPath/CertPathValidatorTest/bugs/bug6383078 fails on jdk6u18/b02, jdk7/pit/b73 and passes on b72.

Type: Bug
Component: security-libs
Sub-Component: java.security
Affected Version: 6u18,7

Priority: P3
Status: Resolved
Resolution: Fixed
OS: generic
CPU: generic

Submitted: 2009-09-25
Updated: 2011-03-08
Resolved: 2009-10-24

JDK 6	JDK 7	Other
6u18Fixed	7 b75Fixed	OpenJDK6Fixed

CertPath/CertPathValidatorTest/bugs/bug6383078 fails on jdk7/pit/b73 while passes on b72.

log for b73 http://sqeweb.sfbay.sun.com/net/sqenfs-2/export2/results/security/pit/7/b73/gtee/windows-i586_c1/7-b73_pit_security_windows-i586_c1/dtftest.Windows_Vista.x86/bug6383078/bug6383078.log
...
[2009-09-23T12:01:28.66] certpath: connecting to OCSP service at: http://onsite-ocsp.verisign.com
[2009-09-23T12:01:28.66] Exception in thread "main" java.security.AccessControlException: access denied ("java.net.SocketPermission" "onsite-ocsp.verisign.com:80" "connect,resolve")
[2009-09-23T12:01:28.66] 	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:345)
[2009-09-23T12:01:28.66] 	at java.security.AccessController.checkPermission(AccessController.java:555)
[2009-09-23T12:01:28.66] 	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
[2009-09-23T12:01:28.66] 	at java.lang.SecurityManager.checkConnect(SecurityManager.java:1051)
[2009-09-23T12:01:28.66] 	at sun.net.www.http.HttpClient.openServer(HttpClient.java:454)
[2009-09-23T12:01:28.66] 	at sun.net.www.http.HttpClient.<init>(HttpClient.java:210)
[2009-09-23T12:01:28.66] 	at sun.net.www.http.HttpClient.New(HttpClient.java:293)
[2009-09-23T12:01:28.66] 	at sun.net.www.http.HttpClient.New(HttpClient.java:305)
[2009-09-23T12:01:28.66] 	at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:862)
[2009-09-23T12:01:28.66] 	at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:798)
[2009-09-23T12:01:28.66] 	at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:716)
[2009-09-23T12:01:28.66] 	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:957)
[2009-09-23T12:01:28.66] 	at sun.security.provider.certpath.OCSP.check(OCSP.java:186)
[2009-09-23T12:01:28.66] 	at sun.security.provider.certpath.OCSPChecker.check(OCSPChecker.java:336)
[2009-09-23T12:01:28.66] 	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)
[2009-09-23T12:01:28.71] 	at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:321)
[2009-09-23T12:01:28.71] 	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:187)
[2009-09-23T12:01:28.71] 	at java.security.cert.CertPathValidator.validate(CertPathValidator.java:267)
[2009-09-23T12:01:28.71] 	at ValidateCertPathWithRev.main(ValidateCertPathWithRev.java:40)
[2009-09-23T12:01:28.71] # Test level exit status: 1
[2009-09-23T12:01:29.71] 
...............................

log for b72
http://sqeweb.sfbay.sun.com/net/sqenfs-1/export1/comp/jsn/users/evergreen/wzhu/results-soda-09-09-24-20-10/results/gtee.SunOS.sparc/bug6383078/bug6383078.err
...
[2009-09-25T03:10:53.07] certpath: connecting to OCSP service at: http://onsite-ocsp.verisign.com
[2009-09-25T03:10:53.07] certpath: java.security.AccessControlException: access denied ("java.net.SocketPermission" "onsite-ocsp.verisign.com:80" "connect,resolve")
[2009-09-25T03:10:53.07] certpath: preparing to failover (from OCSP to CRLs)
[2009-09-25T03:10:53.07] certpath: -checker5 validation succeeded
[2009-09-25T03:10:53.07] certpath: -Using checker6 ... [sun.security.provider.certpath.CrlRevocationChecker]
[2009-09-25T03:10:53.65] certpath: CrlRevocationChecker.verifyRevocationStatus() ---checking revocation status...
[2009-09-25T03:10:53.65] certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for CN=Java Deployment, OU=Class C, OU=Corporate Object Signing, O=Sun Microsystems Inc
[2009-09-25T03:10:53.65] certpath: Trying to fetch CRL from DP http://onsitecrl.verisign.com/SunMicrosystemsIncCorporateObjectSigningClassC/LatestCRL.crl
[2009-09-25T03:10:53.65] certpath: CertStore URI:http://onsitecrl.verisign.com/SunMicrosystemsIncCorporateObjectSigningClassC/LatestCRL.crl
[2009-09-25T03:10:53.65] certpath: Downloading new CRL...
[2009-09-25T03:10:53.65] certpath: Returning 1 CRLs
[2009-09-25T03:10:53.65] certpath: CrlRevocationChecker.verifyRevocationStatus() crls.size() = 0
[2009-09-25T03:10:53.65] certpath: CrlRevocationChecker.verifyRevocationStatus() approved crls.size() = 1
[2009-09-25T03:10:53.65] certpath: starting the final sweep...
[2009-09-25T03:10:53.65] certpath: CrlRevocationChecker.verifyRevocationStatus cert SN: 66035722392064388961324353282751403384
[2009-09-25T03:10:53.65] certpath: -checker6 validation succeeded
[2009-09-25T03:10:53.65] certpath: checking for unresolvedCritExts
[2009-09-25T03:10:53.65] certpath: 
[2009-09-25T03:10:53.65] cert3 validation succeeded.
[2009-09-25T03:10:53.65] 
[2009-09-25T03:10:53.65] certpath: Cert path validation succeeded. (PKIX validation algorithm)
[2009-09-25T03:10:53.80] certpath: --------------------------------------------------------------
[2009-09-25T03:10:53.80] # Test level exit status: 0
[2009-09-25T03:10:54.81]

EVALUATION This is also a regression in JDK 6u18 b02 even though this test is only in the JDK 7 SQE workspace. I am changing the synopsis to reflect that. The regression was caused by CR 6869739.

06-10-2009

EVALUATION The failure might be caused by CR fixes in b73: 6745437 Add option to only check revocation of end-entity certificate in a chain of certificates 6869739 Cannot check revocation of single certificate without validating the entire chain

25-09-2009