JDK-8021804 : Certpath validation fails if validity period of root cert does not include validity period of intermediate cert
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7,8,8u25
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2013-07-29
  • Updated: 2017-09-04
  • Resolved: 2014-03-21
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
7u67Fixed 8u20 b09Fixed 9Fixed
Related Reports
Relates :  
Certificate path validation fails with GoDaddy's SSL certificates https://valid.gdi.catest.godaddy.com/ because expiration date of intermediate cert is greater than expiration date of root certificate.

- Fix for Release : 7u72 - Risk Analysis : Low - removing of a condition in the validation of a certicate - Testing (done/to-be-done) : Standard Security tests

Release team: Approved for deferral.

Release team: We'd like to get the VT (Drew) opinion on this one before deciding. Can you please follow up with him and update the bug?

I think there is a bug here, but we need to be careful about removing this. Here are the comments from AdaptableX509CertSelector: /** * Sets the criterion of the X509Certificate validity period. * * Normally, we may not have to check that a certificate validity period * must fall within its issuer's certificate validity period. However, * when we face root CA key updates for version 1 certificates, according * to scheme of RFC 4210 or 2510, the validity periods should be checked * to determine the right issuer's certificate. * * Conservatively, we will only check the validity periods for version * 1 and version 2 certificates. For version 3 certificates, we can * determine the right issuer by authority and subject key identifier * extensions. * * @param startDate the start date of a validity period that must fall * within the certificate validity period for the X509Certificate * @param endDate the end date of a validity period that must fall * within the certificate validity period for the X509Certificate */ void setValidityPeriod(Date startDate, Date endDate) { The Valicert root CA is a version 1 certificate. I think this code needs to be restructured such that if there is more than one CA with the same subject, it prefers the one with a validity period within the next certificate's validity period, but still tries both. So this way it won't eliminate Valicert from consideration.