JDK-8133094 : JDK 7 and orapki provider not working with JDBC using TCPS
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 7u79
  • Priority: P3
  • Status: Closed
  • Resolution: Not an Issue
  • Submitted: 2015-08-06
  • Updated: 2016-01-29
  • Resolved: 2015-08-24
Related Reports
Relates :  
JDK-8133489 - Better messaging for PKIX path validation matching
Description
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors^M
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)^M
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)^M
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)^M
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)^M
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)^M
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)^M
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:901)^M
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:837)^M
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)^M
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)^M
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)^M
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)^M
        at oracle.net.ns.Packet.send(Packet.java:419)^M
        at oracle.net.ns.ConnectPacket.send(ConnectPacket.java:241)^M
        at oracle.net.ns.NSProtocolStream.negotiateConnection(NSProtocolStream.java:157)^M
        at oracle.net.ns.NSProtocol.connect(NSProtocol.java:264)^M
        at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1452)^M
        at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:496)^M


This is most likely a configuration issue on user side. Investigation continues. Issue seen after the orapki.jar content was updated.
Comments
This is the root cause of the connection failure. The SubjectKey ID comparison is failing due to the mismatch in the two byte array values : subjectKeyID is : 0000: 04 14 F1 24 31 36 58 C3 8C 3B D5 E9 E7 C5 F6 13 ...$16X..;...... 0010: 32 26 9D AB D3 A9 2&.... certSubjectKeyID is : 0000: F1 24 31 36 58 C3 8C 3B D5 E9 E7 C5 F6 13 32 26 .$16X..;......2& 0010: 9D AB D3 A9 .... As you can see, the upper one is DER-encoded, the lower one is not. This turns out to be a bug in the oraPKI application code and in how the SKID is parsed and supplied from their end.
29-01-2016