JDK-8189760 : sun/security/ssl/CertPathRestrictions/TLSRestrictions.java failed with unexpected Exception intermittently
- Type: Bug
- Component: security-libs
- Sub-Component: java.security
- Affected Version: 10
- Priority: P4
- Status: Resolved
- Resolution: Fixed
- Submitted: 2017-10-20
- Updated: 2019-01-14
- Resolved: 2018-01-05
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 11 | JDK 7 | JDK 8 |
|---|---|---|
11 b01Fixed  |
7u211Fixed | 8u192Fixed |
Related Reports
|
Relates :
|
Description
#section:main ----------messages:(4/228)---------- command: main -Djava.security.debug=certpath TLSRestrictions S8 reason: User specified action: run main/othervm -Djava.security.debug=certpath TLSRestrictions S8 Mode: othervm [/othervm specified] elapsed time (seconds): 1.705 ----------configuration:(0/0)---------- ----------System.out:(206/15994)---------- Case: trustNames=ROOT_CA_SHA256; certNames=END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256,INTER_CA_SHA1-ROOT_CA_SHA256 serverConstraint=SHA1 usage TLSClient; clientConstraint=MD2, MD5 needClientAuth=true pass=false Server: Old jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 Server: New jdk.certpath.disabledAlgorithms=SHA1 usage TLSClient Server: port=58472 Server: started Command line: [/scratch/opt/mach5/mesos/work_dir/jib-master/install/jdk10-master.174/linux-x64.jdk/jdk-10/bin/java -cp /scratch/opt/mach5/mesos/work_dir/slaves/7aed79a7-ea87-4caa-8895-f1d7e69bb48e-S4076/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/7fce4e10-08a1-4962-a860-b1c050a3670f/runs/f14e8a1b-1516-4594-b825-1daeb746c70d/testoutput/jtreg/JTwork/classes/4/sun/security/ssl/CertPathRestrictions/TLSRestrictions.d:/scratch/opt/mach5/mesos/work_dir/jib-master/install/jdk10-master.174/src.full/open/test/jdk/sun/security/ssl/CertPathRestrictions:/scratch/opt/mach5/mesos/work_dir/slaves/7aed79a7-ea87-4caa-8895-f1d7e69bb48e-S4076/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/7fce4e10-08a1-4962-a860-b1c050a3670f/runs/f14e8a1b-1516-4594-b825-1daeb746c70d/testoutput/jtreg/JTwork/classes/4/test/lib:/scratch/opt/mach5/mesos/work_dir/jib-master/install/jdk10-master.174/src.full/open/test/lib:/scratch/opt/mach5/mesos/work_dir/jib-master/install/com/oracle/java/jib/jib/3.0-SNAPSHOT/jib-3.0-SNAPSHOT-distribution.zip/jib-3.0-SNAPSHOT-distribution/lib/jib-3.0-SNAPSHOT.jar:/scratch/opt/mach5/mesos/work_dir/jib-master/install/java/re/jtreg/4.2/promoted/all/b08/bundles/jtreg_bin-4.2.zip/jtreg/lib/javatest.jar:/scratch/opt/mach5/mesos/work_dir/jib-master/install/java/re/jtreg/4.2/promoted/all/b08/bundles/jtreg_bin-4.2.zip/jtreg/lib/jtreg.jar -ea -esa -Xmx512m -Dcert.dir=/scratch/opt/mach5/mesos/work_dir/jib-master/install/jdk10-master.174/src.full/open/test/jdk/sun/security/ssl/CertPathRestrictions/certs -Djava.security.debug=certpath -classpath /scratch/opt/mach5/mesos/work_dir/slaves/7aed79a7-ea87-4caa-8895-f1d7e69bb48e-S4076/frameworks/1735e8a2-a1db-478c-8104-60c8b0af87dd-0196/executors/7fce4e10-08a1-4962-a860-b1c050a3670f/runs/f14e8a1b-1516-4594-b825-1daeb746c70d/testoutput/jtreg/JTwork/classes/4/sun/security/ssl/CertPathRestrictions/TLSRestrictions.d JSSEClient 58472 ROOT_CA_SHA256 END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256,INTER_CA_SHA1-ROOT_CA_SHA256 MD2, MD5 ] javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSClient check failed: SHA1 used with certificate: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US. Usage was tls client at java.base/sun.security.ssl.Alerts.getSSLException(Alerts.java:198) at java.base/sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974) at java.base/sun.security.ssl.Handshaker.fatalSE(Handshaker.java:319) at java.base/sun.security.ssl.Handshaker.fatalSE(Handshaker.java:313) at java.base/sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:2120) at java.base/sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:249) at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1072) at java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1000) at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137) at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074) at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) at java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402) at java.base/sun.security.ssl.SSLSocketImpl.bytesInCompletePacket(SSLSocketImpl.java:907) at java.base/sun.security.ssl.AppInputStream.read(AppInputStream.java:144) at java.base/sun.security.ssl.AppInputStream.read(AppInputStream.java:84) at JSSEServer$1.run(JSSEServer.java:63) at java.base/java.lang.Thread.run(Thread.java:844) Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Usage constraint TLSClient check failed: SHA1 used with certificate: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US. Usage was tls client at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350) at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259) at java.base/sun.security.validator.Validator.validate(Validator.java:264) at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:343) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:226) at java.base/sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:127) at java.base/sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:2102) ... 12 more Caused by: java.security.cert.CertPathValidatorException: Usage constraint TLSClient check failed: SHA1 used with certificate: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US. Usage was tls client at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:223) at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140) at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79) at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345) ... 18 more Caused by: java.security.cert.CertPathValidatorException: Usage constraint TLSClient check failed: SHA1 used with certificate: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US. Usage was tls client at java.base/sun.security.util.DisabledAlgorithmConstraints$UsageConstraint.permits(DisabledAlgorithmConstraints.java:739) at java.base/sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(DisabledAlgorithmConstraints.java:419) at java.base/sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:167) at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:326) at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ... 23 more ---------- Client output start ---------- Client: arguments=58472; ROOT_CA_SHA256; END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256,INTER_CA_SHA1-ROOT_CA_SHA256; MD2, MD5 Client: Old jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 Client: New jdk.certpath.disabledAlgorithms=MD2, MD5 Client: connected certpath: Constraints: SSLv3 certpath: Constraints: RC4 certpath: Constraints: MD5withRSA certpath: Constraints: DH keySize < 1024 certpath: Constraints set to keySize: keySize < 1024 certpath: Constraints: EC keySize < 224 certpath: Constraints set to keySize: keySize < 224 certpath: Constraints: MD2 certpath: Constraints: MD5 certpath: Constraints: MD2 certpath: Constraints: MD5 certpath: TrustAnchor is null, trustedMatch is false. certpath: PKIXCertPathValidator.engineValidate()... certpath: X509CertSelector.match(SN: a3529d826fddc61d Issuer: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US Subject: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US) certpath: X509CertSelector.match returning: true certpath: YES - try this trustedCert certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US certpath: -------------------------------------------------------------- certpath: Executing PKIX certification path validation algorithm. certpath: Checking cert1 - Subject: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker] certpath: -checker1 validation succeeded certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker] certpath: Constraints.permits(): SHA1withRSA Variant: tls server certpath: -checker2 validation succeeded certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker] certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage... certpath: -checker3 validation succeeded certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker] certpath: ---checking basic constraints... certpath: i = 1, maxPathLength = 2 certpath: after processing, maxPathLength = 1 certpath: basic constraints verified. certpath: ---checking name constraints... certpath: prevNC = null, newNC = null certpath: mergedNC = null certpath: name constraints verified. certpath: -checker4 validation succeeded certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker] certpath: PolicyChecker.checkPolicy() ---checking certificate policies... certpath: PolicyChecker.checkPolicy() certIndex = 1 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 3 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOT certpath: PolicyChecker.processPolicies() no policies present in cert certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null certpath: PolicyChecker.checkPolicy() certificate policies verified certpath: -checker5 validation succeeded certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker] certpath: ---checking validity:Fri Oct 20 07:56:53 PDT 2017... certpath: validity verified. certpath: ---checking subject/issuer name chaining... certpath: subject/issuer name chaining verified. certpath: ---checking signature... certpath: signature verified. certpath: BasicChecker.updateState issuer: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US; subject: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US; serial#: 9557043154290660301 certpath: -checker6 validation succeeded certpath: -Using checker7 ... [sun.security.provider.certpath.AlgorithmChecker] certpath: Constraints.permits(): SHA1withRSA Variant: tls server certpath: -checker7 validation succeeded certpath: cert1 validation succeeded. certpath: Checking cert2 - Subject: CN=END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256-PRIV, OU=Java, O=Org, L=City, ST=CA, C=US certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker] certpath: -checker1 validation succeeded certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker] certpath: Constraints.permits(): SHA256withRSA Variant: tls server certpath: -checker2 validation succeeded certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker] certpath: -checker3 validation succeeded certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker] certpath: ---checking basic constraints... certpath: i = 2, maxPathLength = 1 certpath: after processing, maxPathLength = 1 certpath: basic constraints verified. certpath: ---checking name constraints... certpath: prevNC = null, newNC = null certpath: mergedNC = null certpath: name constraints verified. certpath: -checker4 validation succeeded certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker] certpath: PolicyChecker.checkPolicy() ---checking certificate policies... certpath: PolicyChecker.checkPolicy() certIndex = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = null certpath: PolicyChecker.processPolicies() no policies present in cert certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = null certpath: PolicyChecker.checkPolicy() certificate policies verified certpath: -checker5 validation succeeded certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker] certpath: ---checking validity:Fri Oct 20 07:56:53 PDT 2017... certpath: validity verified. certpath: ---checking subject/issuer name chaining... certpath: subject/issuer name chaining verified. certpath: ---checking signature... certpath: signature verified. certpath: BasicChecker.updateState issuer: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US; subject: CN=END_ENTITY_SHA256-INTER_CA_SHA1-ROOT_CA_SHA256-PRIV, OU=Java, O=Org, L=City, ST=CA, C=US; serial#: 11454861092401349589 certpath: -checker6 validation succeeded certpath: -Using checker7 ... [sun.security.provider.certpath.AlgorithmChecker] certpath: Constraints.permits(): SHA256withRSA Variant: tls server certpath: -checker7 validation succeeded certpath: cert2 validation succeeded. certpath: Cert path validation succeeded. (PKIX validation algorithm) certpath: -------------------------------------------------------------- certpath: KeySizeConstraints.permits(): EC certpath: TrustAnchor is null, trustedMatch is false. certpath: Constraints.permits(): SHA1withRSA Variant: tls client certpath: Constraints.permits(): SHA256withRSA Variant: tls client Exception in thread "main" java.lang.RuntimeException: Client: failed. at JSSEClient.main(JSSEClient.java:63) Caused by: java.net.SocketException: Broken pipe (Write failed) at java.base/java.net.SocketOutputStream.socketWrite0(Native Method) at java.base/java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:111) at java.base/java.net.SocketOutputStream.write(SocketOutputStream.java:155) at java.base/sun.security.ssl.SSLSocketOutputRecord.encodeChangeCipherSpec(SSLSocketOutputRecord.java:205) at java.base/sun.security.ssl.OutputRecord.changeWriteCiphers(OutputRecord.java:163) at java.base/sun.security.ssl.SSLSocketImpl.changeWriteCiphers(SSLSocketImpl.java:2114) at java.base/sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1175) at java.base/sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1356) at java.base/sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1260) at java.base/sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:418) at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1072) at java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1000) at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137) at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074) at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) at java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402) at java.base/sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:733) at java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:67) at java.base/sun.security.ssl.AppOutputStream.write(AppOutputStream.java:81) at JSSEClient.main(JSSEClient.java:58) ---------- Client output end ---------- ----------System.err:(57/3203)---------- certpath: Constraints: SSLv3 certpath: Constraints: RC4 certpath: Constraints: MD5withRSA certpath: Constraints: DH keySize < 1024 certpath: Constraints set to keySize: keySize < 1024 certpath: Constraints: EC keySize < 224 certpath: Constraints set to keySize: keySize < 224 certpath: Constraints: MD2 certpath: Constraints: MD5 certpath: Constraints: SHA1 jdkCA & usage TLSServer certpath: Constraints set to jdkCA. certpath: Constraints usage length is 1 certpath: Constraints: RSA keySize < 1024 certpath: Constraints set to keySize: keySize < 1024 certpath: Constraints: DSA keySize < 1024 certpath: Constraints set to keySize: keySize < 1024 certpath: Constraints: EC keySize < 224 certpath: Constraints set to keySize: keySize < 224 certpath: Constraints: SHA1 usage TLSClient certpath: Constraints usage length is 1 certpath: TrustAnchor is null, trustedMatch is false. certpath: Constraints.permits(): SHA1withRSA Variant: tls server certpath: Checking if usage constraint "tls client" matches "tls server" certpath: KeySizeConstraints.permits(): RSA certpath: Constraints.permits(): SHA256withRSA Variant: tls server certpath: KeySizeConstraints.permits(): RSA certpath: KeySizeConstraints.permits(): RSA certpath: TrustAnchor is null, trustedMatch is false. certpath: PKIXCertPathValidator.engineValidate()... certpath: X509CertSelector.match(SN: a3529d826fddc61d Issuer: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US Subject: CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US) certpath: X509CertSelector.match returning: true certpath: YES - try this trustedCert certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US certpath: -------------------------------------------------------------- certpath: Executing PKIX certification path validation algorithm. certpath: Checking cert1 - Subject: CN=INTER_CA_SHA1-ROOT_CA_SHA256, OU=Java, O=Org, L=City, ST=CA, C=US certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker] certpath: -checker1 validation succeeded certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker] certpath: Constraints.permits(): SHA1withRSA Variant: tls client certpath: Checking if usage constraint "tls client" matches "tls client" java.lang.RuntimeException: Failure with unexpected exception. at TLSRestrictions.testConstraint(TLSRestrictions.java:270) at TLSRestrictions.main(TLSRestrictions.java:483) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:564) at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:115) at java.base/java.lang.Thread.run(Thread.java:844) JavaTest Message: Test threw exception: java.lang.RuntimeException: Failure with unexpected exception. JavaTest Message: shutting down test STATUS:Failed.`main' threw exception: java.lang.RuntimeException: Failure with unexpected exception.
Comments
|