JDK-8185552 : Algorithm Constraints Check Failure
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7u151
  • Priority: P3
  • Status: Closed
  • Resolution: Not an Issue
  • OS: solaris_10
  • CPU: sparc_64
  • Submitted: 2017-07-26
  • Updated: 2018-02-21
  • Resolved: 2018-02-21
Related Reports
Relates :  
JDK-8176536 - Improved algorithm constraints checking
Description
FULL PRODUCT VERSION :
JDK 1.7.0_151

ADDITIONAL OS VERSION INFORMATION :
SunOS <HOSTNAME> 5.10 Generic_150400-52 sun4v sparc SUNW,Sun-Fire_t200

A DESCRIPTION OF THE PROBLEM :
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: 
Algorithm constraints check failed on signature algorithm: 
SHA256WithRSAEncryption
         at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:360)
         at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
         at sun.security.validator.Validator.validate(Validator.java:260)
         at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
         at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
         at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
         at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1459)
         ... 125 more


REGRESSION.  Last worked in version 7u141

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Start our JBOSS server pointing to 151. Attempt to connect to a remote service using a certificate.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
A successful connection and data being returned
ACTUAL -
The following error and no data being returned.

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: 
Algorithm constraints check failed on signature algorithm: 
SHA256WithRSAEncryption
         at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:360)
         at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
         at sun.security.validator.Validator.validate(Validator.java:260)
         at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
         at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
         at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
         at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1459)
         ... 125 more


ERROR MESSAGES/STACK TRACES THAT OCCUR :
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: 
Algorithm constraints check failed on signature algorithm: 
SHA256WithRSAEncryption
         at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:360)
         at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
         at sun.security.validator.Validator.validate(Validator.java:260)
         at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
         at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
         at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
         at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1459)
         ... 125 more


REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
We've rolled back to 141
Comments
Also, could you please post a reproducer if you have one?
26-10-2017
Can you please set the following switch -Djava.security.debug=certpath on while starting JVM and provide us with the complete log file.
07-08-2017