JDK-8027249 : JDK 7 Certpathbuilder.build throws SunCertPathBuilderException when JDK 6 works
  • Type: Bug
  • Component: security-libs
  • Affected Version: 7u40,8
  • Priority: P2
  • Status: Closed
  • Resolution: Not an Issue
  • OS: generic
  • CPU: generic
  • Submitted: 2013-10-24
  • Updated: 2015-05-20
  • Resolved: 2013-10-25
Related Reports
Relates :  
JDK-8072463 - Remove requirement that AKID and SKID have to match when building certificate chain
Description
1.  Attached 3-7885427021-testcase.tar.gz
2.  cd testcase1-ng/
3.  ./test.sh <jdk_home>

The testcase2-ok is similar code, the only change is
the empty intermediate keystore.

Tested with 6u51 - works.
7 FCS fails.  7u40 fails. 1.8.0-ea-b109 fails.


Running the same piece of code/certs/keystore with JDK 6 works.
JDK 7 fails with the following exception.

sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
        at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuild
er.java:196)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
...
Comments
I am closing this as not a bug. In JDK 7 we enhanced our PKIX CertPathBuilder implementation to discover certificate chains using the Authority Key Identifier extension (as specified in section 4.2.1.1 of RFC 5280), which allows you to find the correct certificate when a CA has more than one certificate with different keypairs. This is quite common, for example when you rollover the key of a CA but you want to keep the same subject name. The certificates that are used in this test case do not have a correct AKID that allow a path to be found. In particular, the authorityCertSerialNumber field of the end entity certificate is set to 3130323032353433323531. The key identifier and issuer are correct, but not the serial number. We match on all fields when looking for a matching CA. This should match the serial number of the issuing CA certificate, per RFC 5280: The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a certificate. This extension is used where an issuer has multiple signing keys (either due to multiple concurrent key pairs or due to changeover). The identification MAY be based on either the key identifier (the subject key identifier in the issuer's certificate) or the issuer name and serial number. However, the serial number of the issuing CA is 3332353635353836363832. Thus, a certification path cannot be found and that explains the expected failure. It seems like you either are using the wrong intermediate CA cross certificate, or the end entity certificate has been issued with an invalid AKI extension, that is the serial number field does not match the serial number of the CA certificate that issued it.
25-10-2013
Assign to security-libs for further investigation.
25-10-2013