JDK-8059009 : LDAPCertStore fails to retrieve CRL after LDAP server closes idle connection
- Type: Bug
- Component: security-libs
- Sub-Component: java.security
- Affected Version: 7,8,9
- Priority: P4
- Status: Closed
- Resolution: Fixed
- OS: generic
- CPU: generic
- Submitted: 2014-09-23
- Updated: 2020-11-30
- Resolved: 2015-01-15
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 9 |
|---|
9 b47Fixed  |
Related Reports
|
Relates :
|
|
|
Relates :
|
Description
FULL PRODUCT VERSION :
A DESCRIPTION OF THE PROBLEM :
sun.security.provider.certpath.PKIXCertPathValidator fails certificate chain validation on CRL check using sun.security.provider.certpath.ldap.LDAPCertStore if LDAP server closes idle connection.
Please see:
http://stackoverflow.com/questions/25991400/how-to-amend-ldap-connection-properties-in-ldapcertstore-for-x509-cert-chain-val
https://stackoverflow.com/questions/8787577/how-to-reconnect-when-the-ldap-server-is-restarted
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Initialize PKIXCertPathValidator with LDAPCertStore
2. Wait server to close connection (sleep required time)
3. Try to validate valid certificate chain
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
no exception
ACTUAL -
exception
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.cert.CertPathValidatorException: java.security.cert.CertStoreException: javax.naming.CommunicationException: connection closed [Root exception is java.io.IOException: connection closed]; remaining name ...
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
@Test
public void testRevocationListValidation() throws Exception {
String trustStoreFile = "trustStoreFilePath";
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
InputStream is = getClass().getResourceAsStream(trustStoreFile);
if (is == null) {
throw new FileNotFoundException(String.format("KeyStore file '%s' is not found on classpath", trustStoreFile));
}
trustStore.load(is, "password".toCharArray());
Set<TrustAnchor> trustedAnchors = new HashSet<TrustAnchor>();
for (String caCertificateAlias : new String[]{"ca"}) {
X509Certificate certificate = (X509Certificate) trustStore.getCertificate(caCertificateAlias);
trustedAnchors.add(new TrustAnchor(certificate, null));
}
PKIXParameters parameters = new PKIXParameters(trustedAnchors);
CertStore certStore = CertStore.getInstance("LDAP", new LDAPCertStoreParameters("ldapHost", 389));
parameters.setCertStores(Collections.singletonList(certStore));
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(getClass().getResourceAsStream("keystore.jks"), "password".toCharArray());
String keyStoreAlias = "dev-test";
Certificate[] userCertificateChain = keyStore.getCertificateChain(keyStoreAlias);
for (int i = 0; i < 3; i++) {
System.out.println("Starting validation " + i);
CertPath userCertificatePath = CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(userCertificateChain));
CertPathValidator.getInstance("PKIX").validate(userCertificatePath, parameters);
System.out.println("Validation " + i + " succeeded");
if (i == 1) {
System.out.println("Sleeping after second validation");
TimeUnit.SECONDS.sleep(90); // Server connection timeout ~ 60 sec
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
1. Init fresh LDAPCertStore for each validation (or catch exception and search for connection closed message and than reinit)
2. Make dummy LDAP requests with period less then idle connection timeout (but it won't help if server restarts)
Comments
|