JDK-8059817 : Does not match ipv6 addresses in certificates properly
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7u67
  • Priority: P4
  • Status: Resolved
  • Resolution: Duplicate
  • OS: linux
  • CPU: x86_64
  • Submitted: 2014-10-02
  • Updated: 2016-11-24
  • Resolved: 2016-11-24
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7
7-poolResolved
Related Reports
Duplicate :  
JDK-8065553 - Failed Java web start via IPv6 (Java7u71 or later)
Description
FULL PRODUCT VERSION :
Picked up JAVA_TOOL_OPTIONS: -Xms16M -Xmx128M
java version "1.7.0_67"
Java(TM) SE Runtime Environment (build 1.7.0_67-b01)
Java HotSpot(TM) 64-Bit Server VM (build 24.65-b04, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Linux localhost.localdom 3.0.101-0.7.19-default #1 SMP Fri May 9 14:41:39 UTC 2014 (aab30c0) x86_64 x86_64 x86_64 GNU/Linux

A DESCRIPTION OF THE PROBLEM :
When matching the ipv6 address in HostnameChecker.class it simply does a string match.  The problem is that the input from the certificate does not match the RFC... so this happens:

2001:123:f123:1::7 != 2001:123:f123:1:0:0:0:7 (I added a println for debugging to find it - source below)

Since it's not properly formatting the certificate's IP address it fails.  The proper format for an ipv6 address for a string comparison is available from https://www.ietf.org/rfc/rfc5952.txt - or it could be converted to binary and compared that way.

Sam

    private static void matchIP(String expectedIP, X509Certificate cert)
	    throws CertificateException {
	Collection subjAltNames = cert.getSubjectAlternativeNames();
	if (subjAltNames == null) {
	    throw new CertificateException
				("No subject alternative names present");
	}
	for (Iterator itr = subjAltNames.iterator(); itr.hasNext(); ) {
	    List next = (List)itr.next();
	    // For IP address, it needs to be exact match
	    if (((Integer)next.get(0)).intValue() == ALTNAME_IP) {
		String ipAddress = (String)next.get(1);
		if (expectedIP.equalsIgnoreCase(ipAddress)) {
		    return;
		}
	        System.out.println(expectedIP + " != " + ipAddress);
	    }
	}
	throw new CertificateException("No subject alternative " +
			"names matching " + "IP address " +
			expectedIP + " found");
    }

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Create a certificate with a subjectAlternativeName of an ipv6 address then try to verify it with sun.security.util.HostnameChecker

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Verified that the address is present on the certificate
ACTUAL -
java.security.cert.CertificateException: No subject alternative names matching IP address 2001:123:f123:1::7 found

ERROR MESSAGES/STACK TRACES THAT OCCUR :
com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 2001:470:f380:1::7 found
	at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(Unknown Source) ~[na:1.7.0_55]
	at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(Unknown Source) ~[na:1.7.0_55]
	at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(Unknown Source) ~[na:1.7.0_55]
	at com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(Unknown Source) ~[na:1.7.0_55]
	at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Unknown Source) ~[na:1.7.0_55]
	at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Unknown Source) ~[na:1.7.0_55]
	at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Unknown Source) ~[na:1.7.0_55]
	at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Unknown Source) ~[na:1.7.0_55]
	at com.sun.xml.internal.ws.client.Stub.process(Unknown Source) ~[na:1.7.0_55]
	at com.sun.xml.internal.ws.client.dispatch.DispatchImpl.doInvoke(Unknown Source) ~[na:1.7.0_55]
	at com.sun.xml.internal.ws.client.dispatch.DispatchImpl.invoke(Unknown Source) ~[na:1.7.0_55]
	at com.vmware.vim.sso.client.impl.SoapBindingImpl.sendMessage(SoapBindingImpl.java:130) [wstClient.jar:na]
	at com.vmware.vim.sso.client.impl.SoapBindingImpl.sendMessage(SoapBindingImpl.java:81) [wstClient.jar:na]
	at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.sendRequest(SecurityTokenServiceImpl.java:767) [wstClient.jar:na]
	at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.executeRoundtrip(SecurityTokenServiceImpl.java:697) [wstClient.jar:na]
	at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl.acquireToken(SecurityTokenServiceImpl.java:123) [wstClient.jar:na]
	at com.vmware.vim.install.impl.AdminServiceAccess.acquireSamlToken(AdminServiceAccess.java:297) [regtool.jar:na]
	at com.vmware.vim.install.impl.AdminServiceAccess.<init>(AdminServiceAccess.java:187) [regtool.jar:na]
	at com.vmware.vim.install.impl.AdminServiceAccess.createDiscover(AdminServiceAccess.java:238) [regtool.jar:na]
	at com.vmware.vim.install.impl.RegistrationProviderImpl.<init>(RegistrationProviderImpl.java:57) [regtool.jar:na]
	at com.vmware.vim.install.RegistrationProviderFactory.getRegistrationProvider(RegistrationProviderFactory.java:143) [regtool.jar:na]
	at com.vmware.vim.install.RegistrationProviderFactory$getRegistrationProvider.call(Unknown Source) [regtool.jar:na]
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:42) [groovy-all-1.8.6.jar:1.8.6]
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:108) [groovy-all-1.8.6.jar:1.8.6]
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116) [groovy-all-1.8.6.jar:1.8.6]
	at com.vmware.sso.cfg.rsvc.ServiceAccessFactoryImpl.createUserAuthn(ServiceAccessFactoryImpl.groovy:46) [sso-service-cfg.jar:na]
	at com.vmware.sso.cfg.rsvc.ServiceAccessFactory$createUserAuthn.call(Unknown Source) [sso-service-cfg.jar:na]
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:42) [groovy-all-1.8.6.jar:1.8.6]
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:108) [groovy-all-1.8.6.jar:1.8.6]
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:128) [groovy-all-1.8.6.jar:1.8.6]
	at com.vmware.sso.cfg.hooks.InstallServicesAction.execute(InstallServicesAction.groovy:90) [sso-service-cfg.jar:na]
	at com.vmware.sso.cfg.hooks.InstallServicesAction$execute.call(Unknown Source) [sso-service-cfg.jar:na]
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:42) [groovy-all-1.8.6.jar:1.8.6]
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:108) [groovy-all-1.8.6.jar:1.8.6]
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116) [groovy-all-1.8.6.jar:1.8.6]
	at com.vmware.sso.cfg.commands.impl.InstallV2Command.configureDependentServices(InstallV2Command.groovy:229) [sso-service-cfg.jar:na]
	at com.vmware.sso.cfg.commands.impl.InstallV2Command.this$2$configureDependentServices(InstallV2Command.groovy) [sso-service-cfg.jar:na]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.7.0_55]
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[na:1.7.0_55]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[na:1.7.0_55]
	at java.lang.reflect.Method.invoke(Unknown Source) ~[na:1.7.0_55]
	at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:90) [groovy-all-1.8.6.jar:1.8.6]
	at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:233) [groovy-all-1.8.6.jar:1.8.6]
	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1047) [groovy-all-1.8.6.jar:1.8.6]
	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:914) [groovy-all-1.8.6.jar:1.8.6]
	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:877) [groovy-all-1.8.6.jar:1.8.6]
	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:921) [groovy-all-1.8.6.jar:1.8.6]
	at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:877) [groovy-all-1.8.6.jar:1.8.6]
	at groovy.lang.Closure.call(Closure.java:412) [groovy-all-1.8.6.jar:1.8.6]
	at groovy.lang.Closure.call(Closure.java:406) [groovy-all-1.8.6.jar:1.8.6]
	at com.vmware.sso.cfg.commands.impl.ActionUtil.tryInOrder(ActionUtil.java:17) [sso-service-cfg.jar:na]
	at com.vmware.sso.cfg.commands.impl.ActionUtil$tryInOrder.call(Unknown Source) [sso-service-cfg.jar:na]
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:42) [groovy-all-1.8.6.jar:1.8.6]
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:108) [groovy-all-1.8.6.jar:1.8.6]
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116) [groovy-all-1.8.6.jar:1.8.6]
	at com.vmware.sso.cfg.commands.impl.InstallV2Command.execute(InstallV2Command.groovy:97) [sso-service-cfg.jar:na]
	at com.vmware.sso.cfg.commands.api.Command$execute.call(Unknown Source) [sso-service-cfg.jar:na]
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:42) [groovy-all-1.8.6.jar:1.8.6]
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:108) [groovy-all-1.8.6.jar:1.8.6]
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:112) [groovy-all-1.8.6.jar:1.8.6]
	at com.vmware.sso.cfg.ServiceCfgMain.dispatchToCommand(ServiceCfgMain.groovy:74) [sso-service-cfg.jar:na]
	at com.vmware.sso.cfg.ServiceCfgMain.dispatch(ServiceCfgMain.groovy:46) [sso-service-cfg.jar:na]
	at com.vmware.sso.cfg.ServiceCfgMain.this$2$dispatch(ServiceCfgMain.groovy) [sso-service-cfg.jar:na]
	at com.vmware.sso.cfg.ServiceCfgMain$this$2$dispatch.call(Unknown Source) [sso-service-cfg.jar:na]
	at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:42) [groovy-all-1.8.6.jar:1.8.6]
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:108) [groovy-all-1.8.6.jar:1.8.6]
	at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116) [groovy-all-1.8.6.jar:1.8.6]
	at com.vmware.sso.cfg.ServiceCfgMain.main(ServiceCfgMain.groovy:30) [sso-service-cfg.jar:na]
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 2001:470:f380:1::7 found
	at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[na:1.7.0_55]
	at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) ~[na:1.7.0_55]
	at sun.security.ssl.Handshaker.fatalSE(Unknown Source) ~[na:1.7.0_55]
	at sun.security.ssl.Handshaker.fatalSE(Unknown Source) ~[na:1.7.0_55]
	at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) ~[na:1.7.0_55]
	at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) ~[na:1.7.0_55]
	at sun.security.ssl.Handshaker.processLoop(Unknown Source) ~[na:1.7.0_55]
	at sun.security.ssl.Handshaker.process_record(Unknown Source) ~[na:1.7.0_55]
	at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) ~[na:1.7.0_55]
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) ~[na:1.7.0_55]
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[na:1.7.0_55]
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[na:1.7.0_55]
	at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) ~[na:1.7.0_55]
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) ~[na:1.7.0_55]
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source) ~[na:1.7.0_55]
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source) ~[na:1.7.0_55]
	... 68 common frames omitted
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 2001:470:f380:1::7 found
	at sun.security.util.HostnameChecker.matchIP(Unknown Source) ~[na:1.7.0_55]
	at sun.security.util.HostnameChecker.match(Unknown Source) ~[na:1.7.0_55]
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source) ~[na:1.7.0_55]
	at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(Unknown Source) ~[na:1.7.0_55]
	at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source) ~[na:1.7.0_55]
	... 80 common frames omitted

REPRODUCIBILITY :
This bug can be reproduced always.
Comments
related to https://bugs.openjdk.java.net/browse/JDK-8065553
25-11-2014