JDK-8207028 : JSSE TrustManagerFactory ignores custom value of deployment.system.security.cacerts property
  • Type: Bug
  • Component: docs
  • Sub-Component: guides
  • Affected Version: 8,9,10
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_10
  • CPU: x86_64
  • Submitted: 2018-07-04
  • Updated: 2019-11-29
  • Resolved: 2019-07-17
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8
8u241 b01Fixed
Description
A DESCRIPTION OF THE PROBLEM :

JDK-8149722 : JSSE TrustManagerFactory ignores deployment.system.security.cacerts

I have the same expectation that if an administrator defines security settings the should be honoured. Otherwise the documentation for the deployment.properties should clearly explain that the settings are just for Web Start security. 

The tools like java control panel respect these settings and display the defined keystores but the runtime use hard coded paths or a insecure system property and ignore these settings. 

REGRESSION : Last worked in version 8u172


FREQUENCY : always



Comments
The property "deployment.system.security.cacerts" is defined in "Java Platform, Standard Edition Deployment Guide" section 21 Deployment Configuration File and Properties at: https://docs.oracle.com/javase/8/docs/technotes/guides/deploy/properties.html#CHDEIEHA that section starts with: "This topic describes system and user properties that can be set to configure the deployment process" Nothing in this guide applies to stand alone java applications, only to the applications and applets run using the deployment code (Java Plugin, and Java Web Start) The deployment.properties file is not read by or in any way used in a stand-alone application. The JCP is also part of the deployment code and makes settings only for these deployment products. This a doc complaint that this is not clear enough in deployment guide where these properties are described.
11-07-2018

Reproduced the issue using the test case provided in JDK-8149722 . Executed the attached test case with the following steps: a) Copied the cacerts file from ${JAVA_HOME}\lib\security to D:\temp\ b) deleted the cacerts from the ${JAVA_HOME}\lib\security directory c) Added the following configuration in deployment.properties file : deployment.system.security.cacerts=D:\\temp\\cacerts d) Ran the attached test case , the attached log file contains the output. JDK 8u171 - Fail JDK 10 - Fail javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.base/sun.security.ssl.Alerts.getSSLException(Alerts.java:214) at java.base/sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974) at java.base/sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1926) at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1909) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1436) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567) at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1581) at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509) at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:245) at JI9027508.main(JI9027508.java:29) Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:89) at java.base/sun.security.validator.Validator.getInstance(Validator.java:181) at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:330) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:180) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:192) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:133) at java.base/sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1947) at java.base/sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777) at java.base/sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264) at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1098) at java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026) at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137) at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074) at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) at java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1429) ... 7 more Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120) at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104) at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:86) ... 22 more
11-07-2018