JDK-8133489 : Better messaging for PKIX path validation matching
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 8,9
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2015-08-12
  • Updated: 2022-06-27
  • Resolved: 2019-06-21
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 14 JDK 8 Other
11.0.5-oracleFixed 13.0.3Fixed 14 b03Fixed 8u241Fixed openjdk8u242Fixed
Related Reports
Relates :  
We should try and be more verbose when it comes to PKIX path validation. Include more information in debug logs where possible.

Here's a recent example I worked on : 

certpath: X509CertSelector.match(SN: xxx1a8ae
  Issuer: OU=xxxxx CA,OU=Certification Authorities,OU=xxxxx,O=xxxx,C=US
  Subject: OU=xxx CA4,OU=Certification Authorities,OU=xxxxx,O=xxxx,C=US)
certpath: X509CertSelector.match: subject key IDs don't match

Print the SKIDs! there are other examples in X509CertSelector also where we can print IDs to debug logs.
Fix Request for 13u. The fix increases stability for 13u. The patch applies cleanly, test passes.

8u review approval: https://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-November/010610.html

Fix Request (jdk8u) Low risk. Applies almost cleanly to jdk8u: just a trivial change in the KeyUsageMatters test file hook because there is not @modules in jdk8u. Review thread: https://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-November/010608.html

Fix Request: Needs to be backport to match up with Oracle. Patch applies cleanly. Low risk, testing in SAP test system before pushing.

URL: http://hg.openjdk.java.net/jdk/jdk/rev/00f29fe98900 User: coffeys Date: 2019-06-21 08:07:54 +0000