JDK-8164846 : CertificateException missing cause of underlying exception
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 9
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2016-08-26
  • Updated: 2017-12-21
  • Resolved: 2016-09-01
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8 JDK 9 Other
7u131Fixed 8u152Fixed 9 b135Fixed openjdk7uFixed
Certpath issues often get thrown up to the end user in the form of an exception. Here's an example : 

java.security.cert.CertificateException: Certificates does not conform to algorithm constraints

Unfortunately, that doesn't give us too much information. People want to know exactly what went wrong. Was it an invalid Algorithm issue, was it an invalid keySize issue, etc.

Here's the issue in SSLContextImpl : 

        } catch (CertPathValidatorException cpve) {
            throw new CertificateException(
                "Certificates does not conform to algorithm constraints");

The cpve here contains valuable information. Example[1] Can we pass it in as 2nd argument to CertificateException ? Examples of info lost : 

[1] AlgorithmChecker.java
        // Check the current signature algorithm
        if (!constraints.permits(
                currSigAlg, currSigAlgParams)) {
            throw new CertPathValidatorException(
                "Algorithm constraints check failed: " + currSigAlg,
                null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);