Change in PKIX certificate chain validation Java 6->Java 7

Jason Uh jason.uh at oracle.com
Thu May 29 01:55:18 UTC 2014


Hi Robert,

This was actually fixed in 
https://bugs.openjdk.java.net/browse/JDK-8021804 and is pending a 
backport to JDK 7u.

Thanks,
Jason

On 5/28/14 4:04 PM, Robert Gibson wrote:
> Hi,
> I was researching a StackOverflow question [1] and I came across some behaviour with the validation of certificate chains that I don't quite understand.
>
> I have a chain consisting of a root certificate with validity period 1999->2019; an intermediate certificate with validity period 2004->2024; and a server certificate with validity period 2006->2016. sun.security.provider.certpath.AdaptableX509CertSelector seems to be choking because the validity end date of the intermediate certificate is after the validity end date of the root certificate, even though we are currently within the validity period for all three certificates.  (By the way, -Djava.security.debug=certpath doesn't actually give any clues as to the reason for the failure, I had to resort to debugging the process.)
>
> Is this expected behaviour? Should I file a bug?
>
> 'Invalid' certificate chain is available at [2]. All the browsers I tried validated it fine, it's just Java 7+ that chokes.
>
> Thanks,
> Robbie
>
> [1] http://stackoverflow.com/questions/23775155/pkix-path-does-not-chain-with-any-of-the-trust-anchors-error-in-windows-environm
> [2] https://www.envmgr.com/LabelService/EwsLabelService.asmx
>



More information about the security-dev mailing list