Change in PKIX certificate chain validation Java 6->Java 7
Robert Gibson
robbiexgibson at yahoo.com
Wed May 28 23:04:36 UTC 2014
Hi,
I was researching a StackOverflow question [1] and I came across some behaviour with the validation of certificate chains that I don't quite understand.
I have a chain consisting of a root certificate with validity period 1999->2019; an intermediate certificate with validity period 2004->2024; and a server certificate with validity period 2006->2016. sun.security.provider.certpath.AdaptableX509CertSelector seems to be choking because the validity end date of the intermediate certificate is after the validity end date of the root certificate, even though we are currently within the validity period for all three certificates. (By the way, -Djava.security.debug=certpath doesn't actually give any clues as to the reason for the failure, I had to resort to debugging the process.)
Is this expected behaviour? Should I file a bug?
'Invalid' certificate chain is available at [2]. All the browsers I tried validated it fine, it's just Java 7+ that chokes.
Thanks,
Robbie
[1] http://stackoverflow.com/questions/23775155/pkix-path-does-not-chain-with-any-of-the-trust-anchors-error-in-windows-environm
[2] https://www.envmgr.com/LabelService/EwsLabelService.asmx
More information about the security-dev
mailing list