JDK-8054037 : Improve tracing for java.security.debug=certpath
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8,9
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2014-07-31
  • Updated: 2015-11-17
  • Resolved: 2015-03-03
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9
8u60Fixed 9 b54Fixed
Description
The tracing statements output by java.security.debug=certpath should be improved to use more informative messaging.

Recent case demonstrates the need to improve message. Examples are : 

* Not pointing out where a link was broken while building a PKIX cert path
* Vague messages like : certpath: X509CertSelector.match: maxPathLen too small (-1 < 1)
* Failing to clearly notify user which cert was not trusted or failing to indicate what cert was missing (being searched for)
Comments
noreg-other: This change only enhances debug messages
03-03-2015
Here's an example of vague output : (server / Cu cert is removed) ================ certpath: X509CertSelector.match(SN: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Issuer: CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Subject: CN=xxxx.yyy.com, OU=TEST CERT, O=COMPANY, L=HOME, ST=BLAH, C=DE) certpath: X509CertSelector.match: maxPathLen too small (-1 < 1) certpath: X509CertSelector.match(SN: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Subject: CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US) certpath: X509CertSelector.match: maxPathLen too small (0 < 1) certpath: X509CertSelector.match(SN: 18dad19e267de8bb4a2158cdcc6b3b4a Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US) certpath: X509CertSelector.match returning: true certpath: ForwardBuilder.getCerts: checking AIA ext certpath: ForwardBuilder.getMatchingCACerts: found 0 forward certs certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0 certpath: SunCertPathBuilder.depthFirstSearchForward(): backtracking certpath: SunCertPathBuilder.depthFirstSearchForward(): backtracking javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: ===== The root cause here was that the "VeriSign Class 3 Public Primary Certification Authority - G5" root CA cert was missing from cacerts. (old JDK) - we could have been much clearer on suggesting what went wrong.
31-07-2014