jdk11u and jdk/jdk : jtreg test error in security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java
Sean Mullan
sean.mullan at oracle.com
Mon Nov 26 13:24:13 UTC 2018
On 11/26/18 7:51 AM, Baesken, Matthias wrote:
> Hello, since 18th / 19th November we notice an error in the jtreg test
>
>
> security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java
>
> (on all platforms, for example linux x86_64 ).
>
> Has anyone else seen the issue, or is it just us ?
Yes, this is a known issue, see
https://bugs.openjdk.java.net/browse/JDK-8202651
--Sean
>
> Thanks, Matthias
>
> Error (stderr) output is :
>
> :stdErr:
>
> Mon Nov 19 10:39:26 CET 2018
>
> certpath: PKIXCertPathValidator.engineValidate()...
>
> certpath: X509CertSelector.match(SN: 36122296c5e338a520a1d25f4cd70954
>
> Issuer: EMAILADDRESS=premium-server at thawte.com, CN=Thawte Premium
> Server CA, OU=Certification Services Division, O=Thawte Consulting cc,
> L=Cape Town, ST=Western Cape, C=ZA
>
> Subject: EMAILADDRESS=premium-server at thawte.com, CN=Thawte Premium
> Server CA, OU=Certification Services Division, O=Thawte Consulting cc,
> L=Cape Town, ST=Western Cape, C=ZA)
>
> certpath: X509CertSelector.match: subject DNs don't match
>
> certpath: X509CertSelector.match(SN: 3c9131cb1ff6d01b0e9ab8d044bf12be
>
> Issuer: OU=Class 3 Public Primary Certification Authority,
> O="VeriSign, Inc.", C=US
>
> Subject: OU=Class 3 Public Primary Certification Authority,
> O="VeriSign, Inc.", C=US)
>
> certpath: X509CertSelector.match: subject DNs don't match
>
> certpath: X509CertSelector.match(SN: 570a119742c4e3cc
>
> Issuer: CN=Actalis Authentication Root CA, O=Actalis
> S.p.A./03358520967, L=Milan, C=IT
>
> Subject: CN=Actalis Authentication Root CA, O=Actalis
> S.p.A./03358520967, L=Milan, C=IT)
>
> certpath: X509CertSelector.match returning: true
>
> certpath: YES - try this trustedCert
>
> certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Actalis
> Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
>
> certpath: Constraints: MD2
>
> certpath: Constraints: MD5
>
> certpath: Constraints: SHA1 jdkCA & usage TLSServer
>
> certpath: Constraints set to jdkCA.
>
> certpath: Constraints usage length is 1
>
> certpath: Constraints: RSA keySize < 1024
>
> certpath: Constraints set to keySize: keySize < 1024
>
> certpath: Constraints: DSA keySize < 1024
>
> certpath: Constraints set to keySize: keySize < 1024
>
> certpath: Constraints: EC keySize < 224
>
> certpath: Constraints set to keySize: keySize < 224
>
> certpath: AlgorithmChecker.contains: SHA256withRSA
>
> certpath: AnchorCertificate.contains: matched CN=Actalis Authentication
> Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
>
> certpath: trustedMatch = true
>
> certpath: --------------------------------------------------------------
>
> certpath: Executing PKIX certification path validation algorithm.
>
> certpath: Checking cert1 - Subject: CN=Actalis Extended Validation
> Server CA G1, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT
>
> certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19}
>
> certpath: -Using checker1 ...
> [sun.security.provider.certpath.UntrustedChecker]
>
> certpath: -checker1 validation succeeded
>
> certpath: -Using checker2 ...
> [sun.security.provider.certpath.AlgorithmChecker]
>
> certpath: Constraints.permits(): SHA256withRSA Variant: generic
>
> certpath: KeySizeConstraints.permits(): RSA
>
> certpath: -checker2 validation succeeded
>
> certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
>
> certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage...
>
> certpath: KeyChecker.verifyCAKeyUsage() CA key usage verified.
>
> certpath: -checker3 validation succeeded
>
> certpath: -Using checker4 ...
> [sun.security.provider.certpath.ConstraintsChecker]
>
> certpath: ---checking basic constraints...
>
> certpath: i = 1, maxPathLength = 2
>
> certpath: after processing, maxPathLength = 1
>
> certpath: basic constraints verified.
>
> certpath: ---checking name constraints...
>
> certpath: prevNC = null, newNC = null
>
> certpath: mergedNC = null
>
> certpath: name constraints verified.
>
> certpath: -checker4 validation succeeded
>
> certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
>
> certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
>
> certpath: PolicyChecker.checkPolicy() certIndex = 1
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING:
> inhibitAnyPolicy = 3
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree =
> anyPolicy ROOT
>
> certpath: PolicyChecker.processPolicies() policiesCritical = false
>
> certpath: PolicyChecker.processPolicies() rejectPolicyQualifiers = true
>
> certpath: PolicyChecker.processPolicies() processing policy: 2.5.29.32.0
>
> certpath: PolicyChecker.processParents(): matchAny = true
>
> certpath: PolicyChecker.processParents() found parent:
>
> anyPolicy ROOT
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree =
> anyPolicy ROOT
>
> anyPolicy CRIT: false EP: anyPolicy (1)
>
> certpath: PolicyChecker.checkPolicy() certificate policies verified
>
> certpath: -checker5 validation succeeded
>
> certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
>
> certpath: ---checking validity:Mon Nov 19 10:39:24 CET 2018...
>
> certpath: validity verified.
>
> certpath: ---checking subject/issuer name chaining...
>
> certpath: subject/issuer name chaining verified.
>
> certpath: ---checking signature...
>
> certpath: signature verified.
>
> certpath: BasicChecker.updateState issuer: CN=Actalis Authentication
> Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT; subject:
> CN=Actalis Extended Validation Server CA G1, O=Actalis
> S.p.A./03358520967, L=Milano, ST=Milano, C=IT; serial#: 3663163709977533131
>
> certpath: -checker6 validation succeeded
>
> certpath: -Using checker7 ...
> [sun.security.provider.certpath.RevocationChecker]
>
> certpath: RevocationChecker.check: checking cert
>
> SN: 32d62bfc 67501acb
>
> Subject: CN=Actalis Extended Validation Server CA G1, O=Actalis
> S.p.A./03358520967, L=Milano, ST=Milano, C=IT
>
> Issuer: CN=Actalis Authentication Root CA, O=Actalis
> S.p.A./03358520967, L=Milan, C=IT
>
> certpath: connecting to OCSP service at:
> http://ocsp05.actalis.it/VA/AUTH-ROOT
>
> certpath: OCSP response status: SUCCESSFUL
>
> certpath: OCSP response type: basic
>
> certpath: Responder ID: byName: CN=Actalis Authentication Root CA - OCSP
> Responder, O=Actalis S.p.A./03358520967, C=IT
>
> certpath: OCSP response produced at: Mon Nov 19 10:39:24 CET 2018
>
> certpath: OCSP number of SingleResponses: 1
>
> certpath: thisUpdate: Fri Oct 19 14:29:36 CEST 2018
>
> certpath: nextUpdate: Thu Jan 17 13:29:36 CET 2019
>
> certpath: OCSP response cert #1: CN=Actalis Authentication Root CA -
> OCSP Responder, O=Actalis S.p.A./03358520967, C=IT
>
> certpath: Status of certificate (with serial number 3663163709977533131)
> is: GOOD
>
> certpath: AlgorithmChecker.contains: SHA256withRSA
>
> certpath: AnchorCertificate.contains: matched CN=Actalis Authentication
> Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
>
> certpath: trustedMatch = true
>
> certpath: Constraints.permits(): SHA256withRSA Variant: generic
>
> certpath: KeySizeConstraints.permits(): RSA
>
> certpath: Responder's certificate includes the extension
> id-pkix-ocsp-nocheck.
>
> certpath: OCSP response is signed by an Authorized Responder
>
> certpath: Constraints.permits(): SHA1withRSA Variant: generic
>
> certpath: jdkCAConstraints.permits(): SHA1
>
> certpath: Verified signature of OCSP Response
>
> certpath: OCSP response validity interval is from Fri Oct 19 14:29:36
> CEST 2018 until Thu Jan 17 13:29:36 CET 2019
>
> certpath: Checking validity of OCSP response on: Mon Nov 19 10:39:24 CET
> 2018
>
> certpath: -checker7 validation succeeded
>
> certpath:
>
> cert1 validation succeeded.
>
> certpath: Checking cert2 - Subject: OID.1.3.6.1.4.1.311.60.2.1.3=IT,
> STREET=Via S. Clemente 53, OID.2.5.4.15=Private Organization,
> CN=www.actalis.it, SERIALNUMBER=03358520967, O=Actalis S.p.A., L=Ponte
> San Pietro, ST=Bergamo, C=IT
>
> certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19}
>
> certpath: -Using checker1 ...
> [sun.security.provider.certpath.UntrustedChecker]
>
> certpath: -checker1 validation succeeded
>
> certpath: -Using checker2 ...
> [sun.security.provider.certpath.AlgorithmChecker]
>
> certpath: Constraints.permits(): SHA256withRSA Variant: generic
>
> certpath: KeySizeConstraints.permits(): RSA
>
> certpath: -checker2 validation succeeded
>
> certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
>
> certpath: -checker3 validation succeeded
>
> certpath: -Using checker4 ...
> [sun.security.provider.certpath.ConstraintsChecker]
>
> certpath: ---checking basic constraints...
>
> certpath: i = 2, maxPathLength = 1
>
> certpath: after processing, maxPathLength = 1
>
> certpath: basic constraints verified.
>
> certpath: ---checking name constraints...
>
> certpath: prevNC = null, newNC = null
>
> certpath: mergedNC = null
>
> certpath: name constraints verified.
>
> certpath: -checker4 validation succeeded
>
> certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
>
> certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
>
> certpath: PolicyChecker.checkPolicy() certIndex = 2
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING:
> inhibitAnyPolicy = 2
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree =
> anyPolicy ROOT
>
> anyPolicy CRIT: false EP: anyPolicy (1)
>
> certpath: PolicyChecker.processPolicies() policiesCritical = false
>
> certpath: PolicyChecker.processPolicies() rejectPolicyQualifiers = true
>
> certpath: PolicyChecker.processPolicies() processing policy: 1.3.159.1.17.1
>
> certpath: PolicyChecker.processParents(): matchAny = false
>
> certpath: PolicyChecker.processParents(): matchAny = true
>
> certpath: PolicyChecker.processParents() found parent:
>
> anyPolicy CRIT: false EP: anyPolicy (1)
>
> certpath: PolicyChecker.processPolicies() processing policy: 2.23.140.1.1
>
> certpath: PolicyChecker.processParents(): matchAny = false
>
> certpath: PolicyChecker.processParents(): matchAny = true
>
> certpath: PolicyChecker.processParents() found parent:
>
> anyPolicy CRIT: false EP: anyPolicy (1)
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree =
> anyPolicy ROOT
>
> anyPolicy CRIT: false EP: anyPolicy (1)
>
> 1.3.159.1.17.1 CRIT: false EP: 1.3.159.1.17.1 (2)
>
> 2.23.140.1.1 CRIT: false EP: 2.23.140.1.1 (2)
>
> certpath: PolicyChecker.checkPolicy() certificate policies verified
>
> certpath: -checker5 validation succeeded
>
> certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
>
> certpath: ---checking validity:Mon Nov 19 10:39:24 CET 2018...
>
> certpath: validity verified.
>
> certpath: ---checking subject/issuer name chaining...
>
> certpath: subject/issuer name chaining verified.
>
> certpath: ---checking signature...
>
> certpath: signature verified.
>
> certpath: BasicChecker.updateState issuer: CN=Actalis Extended
> Validation Server CA G1, O=Actalis S.p.A./03358520967, L=Milano,
> ST=Milano, C=IT; subject: OID.1.3.6.1.4.1.311.60.2.1.3=IT, STREET=Via S.
> Clemente 53, OID.2.5.4.15=Private Organization, CN=www.actalis.it,
> SERIALNUMBER=03358520967, O=Actalis S.p.A., L=Ponte San Pietro,
> ST=Bergamo, C=IT; serial#: 1076059514591231458
>
> certpath: -checker6 validation succeeded
>
> certpath: -Using checker7 ...
> [sun.security.provider.certpath.RevocationChecker]
>
> certpath: RevocationChecker.check: checking cert
>
> SN: 0eeeee6d 6463bde2
>
> Subject: OID.1.3.6.1.4.1.311.60.2.1.3=IT, STREET=Via S. Clemente 53,
> OID.2.5.4.15=Private Organization, CN=www.actalis.it,
> SERIALNUMBER=03358520967, O=Actalis S.p.A., L=Ponte San Pietro,
> ST=Bergamo, C=IT
>
> Issuer: CN=Actalis Extended Validation Server CA G1, O=Actalis
> S.p.A./03358520967, L=Milano, ST=Milano, C=IT
>
> certpath: connecting to OCSP service at:
> http://ocsp05.actalis.it/VA/AUTHEV-G1
>
> certpath: OCSP response status: SUCCESSFUL
>
> certpath: OCSP response type: basic
>
> certpath: Responder ID: byName: CN=Actalis Extended Validation Server CA
> G1 - OCSP Responder, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT
>
> certpath: OCSP response produced at: Mon Nov 19 10:39:24 CET 2018
>
> certpath: OCSP number of SingleResponses: 1
>
> certpath: thisUpdate: Mon Nov 19 07:19:26 CET 2018
>
> certpath: nextUpdate: Tue Nov 20 07:19:26 CET 2018
>
> certpath: OCSP response cert #1: CN=Actalis Extended Validation Server
> CA G1 - OCSP Responder, O=Actalis S.p.A./03358520967, L=Milano,
> ST=Milano, C=IT
>
> certpath: Status of certificate (with serial number 1076059514591231458)
> is: GOOD
>
> certpath: AlgorithmChecker.contains: SHA256withRSA
>
> certpath: AnchorCertificate.contains: matched CN=Actalis Authentication
> Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
>
> certpath: trustedMatch = true
>
> certpath: Constraints.permits(): SHA256withRSA Variant: generic
>
> certpath: KeySizeConstraints.permits(): RSA
>
> certpath: Responder's certificate includes the extension
> id-pkix-ocsp-nocheck.
>
> certpath: OCSP response is signed by an Authorized Responder
>
> certpath: Constraints.permits(): SHA1withRSA Variant: generic
>
> certpath: jdkCAConstraints.permits(): SHA1
>
> certpath: Verified signature of OCSP Response
>
> certpath: OCSP response validity interval is from Mon Nov 19 07:19:26
> CET 2018 until Tue Nov 20 07:19:26 CET 2018
>
> certpath: Checking validity of OCSP response on: Mon Nov 19 10:39:25 CET
> 2018
>
> certpath: -checker7 validation succeeded
>
> certpath:
>
> cert2 validation succeeded.
>
> certpath: Cert path validation succeeded. (PKIX validation algorithm)
>
> certpath: --------------------------------------------------------------
>
> certpath: PKIXCertPathValidator.engineValidate()...
>
> certpath: X509CertSelector.match(SN: 3c9131cb1ff6d01b0e9ab8d044bf12be
>
> Issuer: OU=Class 3 Public Primary Certification Authority,
> O="VeriSign, Inc.", C=US
>
> Subject: OU=Class 3 Public Primary Certification Authority,
> O="VeriSign, Inc.", C=US)
>
> certpath: X509CertSelector.match: subject DNs don't match
>
> certpath: X509CertSelector.match(SN: 7dd9fe07cfa81eb7107967fba78934c6
>
> Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
> authorized use only", OU=Class 3 Public Primary Certification Authority
> - G2, O="VeriSign, Inc.", C=US
>
> Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
> authorized use only", OU=Class 3 Public Primary Certification Authority
> - G2, O="VeriSign, Inc.", C=US)
>
> certpath: X509CertSelector.match: subject DNs don't match
>
> certpath: X509CertSelector.match(SN: 570a119742c4e3cc
>
> Issuer: CN=Actalis Authentication Root CA, O=Actalis
> S.p.A./03358520967, L=Milan, C=IT
>
> Subject: CN=Actalis Authentication Root CA, O=Actalis
> S.p.A./03358520967, L=Milan, C=IT)
>
> certpath: X509CertSelector.match returning: true
>
> certpath: YES - try this trustedCert
>
> certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Actalis
> Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
>
> certpath: AlgorithmChecker.contains: SHA256withRSA
>
> certpath: AnchorCertificate.contains: matched CN=Actalis Authentication
> Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
>
> certpath: trustedMatch = true
>
> certpath: --------------------------------------------------------------
>
> certpath: Executing PKIX certification path validation algorithm.
>
> certpath: Checking cert1 - Subject: CN=Actalis Authentication CA G3,
> O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT
>
> certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19}
>
> certpath: -Using checker1 ...
> [sun.security.provider.certpath.UntrustedChecker]
>
> certpath: -checker1 validation succeeded
>
> certpath: -Using checker2 ...
> [sun.security.provider.certpath.AlgorithmChecker]
>
> certpath: Constraints.permits(): SHA256withRSA Variant: generic
>
> certpath: KeySizeConstraints.permits(): RSA
>
> certpath: -checker2 validation succeeded
>
> certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
>
> certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage...
>
> certpath: KeyChecker.verifyCAKeyUsage() CA key usage verified.
>
> certpath: -checker3 validation succeeded
>
> certpath: -Using checker4 ...
> [sun.security.provider.certpath.ConstraintsChecker]
>
> certpath: ---checking basic constraints...
>
> certpath: i = 1, maxPathLength = 2
>
> certpath: after processing, maxPathLength = 1
>
> certpath: basic constraints verified.
>
> certpath: ---checking name constraints...
>
> certpath: prevNC = null, newNC = null
>
> certpath: mergedNC = null
>
> certpath: name constraints verified.
>
> certpath: -checker4 validation succeeded
>
> certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
>
> certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
>
> certpath: PolicyChecker.checkPolicy() certIndex = 1
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING:
> inhibitAnyPolicy = 3
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree =
> anyPolicy ROOT
>
> certpath: PolicyChecker.processPolicies() policiesCritical = false
>
> certpath: PolicyChecker.processPolicies() rejectPolicyQualifiers = true
>
> certpath: PolicyChecker.processPolicies() processing policy: 2.5.29.32.0
>
> certpath: PolicyChecker.processParents(): matchAny = true
>
> certpath: PolicyChecker.processParents() found parent:
>
> anyPolicy ROOT
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree =
> anyPolicy ROOT
>
> anyPolicy CRIT: false EP: anyPolicy (1)
>
> certpath: PolicyChecker.checkPolicy() certificate policies verified
>
> certpath: -checker5 validation succeeded
>
> certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
>
> certpath: ---checking validity:Fri Jul 01 00:00:00 CEST 2016...
>
> certpath: validity verified.
>
> certpath: ---checking subject/issuer name chaining...
>
> certpath: subject/issuer name chaining verified.
>
> certpath: ---checking signature...
>
> certpath: signature verified.
>
> certpath: BasicChecker.updateState issuer: CN=Actalis Authentication
> Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT; subject:
> CN=Actalis Authentication CA G3, O=Actalis S.p.A./03358520967, L=Milano,
> ST=Milano, C=IT; serial#: 8366940759504193212
>
> certpath: -checker6 validation succeeded
>
> certpath: -Using checker7 ...
> [sun.security.provider.certpath.RevocationChecker]
>
> certpath: RevocationChecker.check: checking cert
>
> SN: 741d584a 72fc06bc
>
> Subject: CN=Actalis Authentication CA G3, O=Actalis
> S.p.A./03358520967, L=Milano, ST=Milano, C=IT
>
> Issuer: CN=Actalis Authentication Root CA, O=Actalis
> S.p.A./03358520967, L=Milan, C=IT
>
> certpath: connecting to OCSP service at:
> http://portal.actalis.it/VA/AUTH-ROOT
>
> certpath: OCSP response status: SUCCESSFUL
>
> certpath: OCSP response type: basic
>
> certpath: Responder ID: byName: CN=Actalis Authentication Root CA - OCSP
> Responder, O=Actalis S.p.A./03358520967, C=IT
>
> certpath: OCSP response produced at: Mon Nov 19 10:39:25 CET 2018
>
> certpath: OCSP number of SingleResponses: 1
>
> certpath: thisUpdate: Fri Oct 19 14:29:36 CEST 2018
>
> certpath: nextUpdate: Thu Jan 17 13:29:36 CET 2019
>
> certpath: OCSP response cert #1: CN=Actalis Authentication Root CA -
> OCSP Responder, O=Actalis S.p.A./03358520967, C=IT
>
> certpath: Status of certificate (with serial number 8366940759504193212)
> is: GOOD
>
> certpath: AlgorithmChecker.contains: SHA256withRSA
>
> certpath: AnchorCertificate.contains: matched CN=Actalis Authentication
> Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
>
> certpath: trustedMatch = true
>
> certpath: Constraints.permits(): SHA256withRSA Variant: generic
>
> certpath: KeySizeConstraints.permits(): RSA
>
> certpath: Responder's certificate includes the extension
> id-pkix-ocsp-nocheck.
>
> certpath: OCSP response is signed by an Authorized Responder
>
> certpath: Constraints.permits(): SHA1withRSA Variant: generic
>
> certpath: jdkCAConstraints.permits(): SHA1
>
> certpath: Verified signature of OCSP Response
>
> certpath: OCSP response validity interval is from Fri Oct 19 14:29:36
> CEST 2018 until Thu Jan 17 13:29:36 CET 2019
>
> certpath: Checking validity of OCSP response on: Mon Nov 19 10:39:25 CET
> 2018
>
> certpath: -checker7 validation succeeded
>
> certpath:
>
> cert1 validation succeeded.
>
> certpath: Checking cert2 - Subject: CN=ssltest-r.actalis.it, O=Actalis
> S.p.A., L=Ponte San Pietro, ST=Bergamo, C=IT
>
> certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19}
>
> certpath: -Using checker1 ...
> [sun.security.provider.certpath.UntrustedChecker]
>
> certpath: -checker1 validation succeeded
>
> certpath: -Using checker2 ...
> [sun.security.provider.certpath.AlgorithmChecker]
>
> certpath: Constraints.permits(): SHA256withRSA Variant: generic
>
> certpath: KeySizeConstraints.permits(): RSA
>
> certpath: -checker2 validation succeeded
>
> certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
>
> certpath: -checker3 validation succeeded
>
> certpath: -Using checker4 ...
> [sun.security.provider.certpath.ConstraintsChecker]
>
> certpath: ---checking basic constraints...
>
> certpath: i = 2, maxPathLength = 1
>
> certpath: after processing, maxPathLength = 1
>
> certpath: basic constraints verified.
>
> certpath: ---checking name constraints...
>
> certpath: prevNC = null, newNC = null
>
> certpath: mergedNC = null
>
> certpath: name constraints verified.
>
> certpath: -checker4 validation succeeded
>
> certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
>
> certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
>
> certpath: PolicyChecker.checkPolicy() certIndex = 2
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING:
> inhibitAnyPolicy = 2
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree =
> anyPolicy ROOT
>
> anyPolicy CRIT: false EP: anyPolicy (1)
>
> certpath: PolicyChecker.processPolicies() policiesCritical = false
>
> certpath: PolicyChecker.processPolicies() rejectPolicyQualifiers = true
>
> certpath: PolicyChecker.processPolicies() processing policy: 1.3.159.1.20.1
>
> certpath: PolicyChecker.processParents(): matchAny = false
>
> certpath: PolicyChecker.processParents(): matchAny = true
>
> certpath: PolicyChecker.processParents() found parent:
>
> anyPolicy CRIT: false EP: anyPolicy (1)
>
> certpath: PolicyChecker.processPolicies() processing policy: 2.23.140.1.2.2
>
> certpath: PolicyChecker.processParents(): matchAny = false
>
> certpath: PolicyChecker.processParents(): matchAny = true
>
> certpath: PolicyChecker.processParents() found parent:
>
> anyPolicy CRIT: false EP: anyPolicy (1)
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree =
> anyPolicy ROOT
>
> anyPolicy CRIT: false EP: anyPolicy (1)
>
> 2.23.140.1.2.2 CRIT: false EP: 2.23.140.1.2.2 (2)
>
> 1.3.159.1.20.1 CRIT: false EP: 1.3.159.1.20.1 (2)
>
> certpath: PolicyChecker.checkPolicy() certificate policies verified
>
> certpath: -checker5 validation succeeded
>
> certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
>
> certpath: ---checking validity:Fri Jul 01 00:00:00 CEST 2016...
>
> certpath: validity verified.
>
> certpath: ---checking subject/issuer name chaining...
>
> certpath: subject/issuer name chaining verified.
>
> certpath: ---checking signature...
>
> certpath: signature verified.
>
> certpath: BasicChecker.updateState issuer: CN=Actalis Authentication CA
> G3, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT; subject:
> CN=ssltest-r.actalis.it, O=Actalis S.p.A., L=Ponte San Pietro,
> ST=Bergamo, C=IT; serial#: 312400490844506479
>
> certpath: -checker6 validation succeeded
>
> certpath: -Using checker7 ...
> [sun.security.provider.certpath.RevocationChecker]
>
> certpath: RevocationChecker.check: checking cert
>
> SN: 0455de97 5c71c96f
>
> Subject: CN=ssltest-r.actalis.it, O=Actalis S.p.A., L=Ponte San
> Pietro, ST=Bergamo, C=IT
>
> Issuer: CN=Actalis Authentication CA G3, O=Actalis
> S.p.A./03358520967, L=Milano, ST=Milano, C=IT
>
> certpath: connecting to OCSP service at: http://ocsp03.actalis.it/VA/AUTH-G3
>
> certpath: OCSP response status: SUCCESSFUL
>
> certpath: OCSP response type: basic
>
> certpath: Responder ID: byName: CN=Actalis Authentication CA G3 - OCSP
> Responder, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT
>
> certpath: OCSP response produced at: Mon Nov 19 10:39:25 CET 2018
>
> certpath: OCSP number of SingleResponses: 1
>
> certpath: Revocation time: Fri Jan 29 10:06:42 CET 2016
>
> certpath: Revocation reason: CESSATION_OF_OPERATION
>
> certpath: thisUpdate: Mon Nov 19 06:46:50 CET 2018
>
> certpath: nextUpdate: Tue Nov 20 06:46:50 CET 2018
>
> certpath: OCSP response cert #1: CN=Actalis Authentication CA G3 - OCSP
> Responder, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT
>
> certpath: Status of certificate (with serial number 312400490844506479)
> is: REVOKED
>
> certpath: AlgorithmChecker.contains: SHA256withRSA
>
> certpath: AnchorCertificate.contains: matched CN=Actalis Authentication
> Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
>
> certpath: trustedMatch = true
>
> certpath: Constraints.permits(): SHA256withRSA Variant: generic
>
> certpath: KeySizeConstraints.permits(): RSA
>
> certpath: Responder's certificate includes the extension
> id-pkix-ocsp-nocheck.
>
> certpath: OCSP response is signed by an Authorized Responder
>
> certpath: Constraints.permits(): SHA1withRSA Variant: generic
>
> certpath: jdkCAConstraints.permits(): SHA1
>
> certpath: Verified signature of OCSP Response
>
> certpath: OCSP response validity interval is from Mon Nov 19 06:46:50
> CET 2018 until Tue Nov 20 06:46:50 CET 2018
>
> certpath: Checking validity of OCSP response on: Mon Nov 19 10:39:25 CET
> 2018
>
> certpath: X509CertSelector.match(SN: 1a5
>
> Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions,
> Inc.", O=GTE Corporation, C=US
>
> Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions,
> Inc.", O=GTE Corporation, C=US)
>
> certpath: X509CertSelector.match: subject DNs don't match
>
> certpath: X509CertSelector.match(SN: 9b7e0649a33e62b9d5ee90487129ef57
>
> Issuer: CN=VeriSign Class 3 Public Primary Certification Authority -
> G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign
> Trust Network, O="VeriSign, Inc.", C=US
>
> Subject: CN=VeriSign Class 3 Public Primary Certification Authority -
> G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign
> Trust Network, O="VeriSign, Inc.", C=US)
>
> certpath: X509CertSelector.match: subject DNs don't match
>
> certpath: X509CertSelector.match(SN: b92f60cc889fa17a4609b85b706c8aaf
>
> Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
> authorized use only", OU=Class 2 Public Primary Certification Authority
> - G2, O="VeriSign, Inc.", C=US
>
> Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
> authorized use only", OU=Class 2 Public Primary Certification Authority
> - G2, O="VeriSign, Inc.", C=US)
>
> certpath: X509CertSelector.match: subject DNs don't match
>
> certpath: X509CertSelector.match(SN: 67c8e1e8e3be1cbdfc913b8ea6238749
>
> Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte,
> L=Durbanville, ST=Western Cape, C=ZA
>
> Subject: CN=Thawte Timestamping CA, OU=Thawte Certification,
> O=Thawte, L=Durbanville, ST=Western Cape, C=ZA)
>
> certpath: X509CertSelector.match: subject DNs don't match
>
> certpath: X509CertSelector.match(SN: 10020
>
> Issuer: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
>
> Subject: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL)
>
> certpath: X509CertSelector.match: subject DNs don't match
>
> certpath: X509CertSelector.match(SN: 36122296c5e338a520a1d25f4cd70954
>
> Issuer: EMAILADDRESS=premium-server at thawte.com, CN=Thawte Premium
> Server CA, OU=Certification Services Division, O=Thawte Consulting cc,
> L=Cape Town, ST=Western Cape, C=ZA
>
> Subject: EMAILADDRESS=premium-server at thawte.com, CN=Thawte Premium
> Server CA, OU=Certification Services Division, O=Thawte Consulting cc,
> L=Cape Town, ST=Western Cape, C=ZA)
>
> certpath: X509CertSelector.match: subject DNs don't match
>
> STATUS:Passed.
>
> --------------------------------
>
> certpath: PKIXCertPathValidator.engineValidate()...
>
> certpath: X509CertSelector.match(SN: 9b7e0649a33e62b9d5ee90487129ef57
>
> Issuer: CN=VeriSign Class 3 Public Primary Certification Authority -
> G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign
> Trust Network, O="VeriSign, Inc.", C=US
>
> Subject: CN=VeriSign Class 3 Public Primary Certification Authority -
> G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign
> Trust Network, O="VeriSign, Inc.", C=US)
>
> certpath: X509CertSelector.match: subject DNs don't match
>
> certpath: X509CertSelector.match(SN: 1a5
>
> Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions,
> Inc.", O=GTE Corporation, C=US
>
> Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions,
> Inc.", O=GTE Corporation, C=US)
>
> certpath: X509CertSelector.match: subject DNs don't match
>
> certpath: X509CertSelector.match(SN: 10020
>
> Issuer: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
>
> Subject: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL)
>
> certpath: X509CertSelector.match: subject DNs don't match
>
> certpath: X509CertSelector.match(SN: 7dd9fe07cfa81eb7107967fba78934c6
>
> Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
> authorized use only", OU=Class 3 Public Primary Certification Authority
> - G2, O="VeriSign, Inc.", C=US
>
> Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
> authorized use only", OU=Class 3 Public Primary Certification Authority
> - G2, O="VeriSign, Inc.", C=US)
>
> certpath: X509CertSelector.match: subject DNs don't match
>
> certpath: X509CertSelector.match(SN: 36122296c5e338a520a1d25f4cd70954
>
> Issuer: EMAILADDRESS=premium-server at thawte.com, CN=Thawte Premium
> Server CA, OU=Certification Services Division, O=Thawte Consulting cc,
> L=Cape Town, ST=Western Cape, C=ZA
>
> Subject: EMAILADDRESS=premium-server at thawte.com, CN=Thawte Premium
> Server CA, OU=Certification Services Division, O=Thawte Consulting cc,
> L=Cape Town, ST=Western Cape, C=ZA)
>
> certpath: X509CertSelector.match: subject DNs don't match
>
> certpath: X509CertSelector.match(SN: b92f60cc889fa17a4609b85b706c8aaf
>
> Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
> authorized use only", OU=Class 2 Public Primary Certification Authority
> - G2, O="VeriSign, Inc.", C=US
>
> Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
> authorized use only", OU=Class 2 Public Primary Certification Authority
> - G2, O="VeriSign, Inc.", C=US)
>
> certpath: X509CertSelector.match: subject DNs don't match
>
> certpath: X509CertSelector.match(SN: 570a119742c4e3cc
>
> Issuer: CN=Actalis Authentication Root CA, O=Actalis
> S.p.A./03358520967, L=Milan, C=IT
>
> Subject: CN=Actalis Authentication Root CA, O=Actalis
> S.p.A./03358520967, L=Milan, C=IT)
>
> certpath: X509CertSelector.match returning: true
>
> certpath: YES - try this trustedCert
>
> certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Actalis
> Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
>
> certpath: Constraints: MD2
>
> certpath: Constraints: MD5
>
> certpath: Constraints: SHA1 jdkCA & usage TLSServer
>
> certpath: Constraints set to jdkCA.
>
> certpath: Constraints usage length is 1
>
> certpath: Constraints: RSA keySize < 1024
>
> certpath: Constraints set to keySize: keySize < 1024
>
> certpath: Constraints: DSA keySize < 1024
>
> certpath: Constraints set to keySize: keySize < 1024
>
> certpath: Constraints: EC keySize < 224
>
> certpath: Constraints set to keySize: keySize < 224
>
> certpath: AlgorithmChecker.contains: SHA256withRSA
>
> certpath: AnchorCertificate.contains: matched CN=Actalis Authentication
> Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
>
> certpath: trustedMatch = true
>
> certpath: --------------------------------------------------------------
>
> certpath: Executing PKIX certification path validation algorithm.
>
> certpath: Checking cert1 - Subject: CN=Actalis Extended Validation
> Server CA G1, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT
>
> certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19}
>
> certpath: -Using checker1 ...
> [sun.security.provider.certpath.UntrustedChecker]
>
> certpath: -checker1 validation succeeded
>
> certpath: -Using checker2 ...
> [sun.security.provider.certpath.AlgorithmChecker]
>
> certpath: Constraints.permits(): SHA256withRSA Variant: generic
>
> certpath: KeySizeConstraints.permits(): RSA
>
> certpath: -checker2 validation succeeded
>
> certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
>
> certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage...
>
> certpath: KeyChecker.verifyCAKeyUsage() CA key usage verified.
>
> certpath: -checker3 validation succeeded
>
> certpath: -Using checker4 ...
> [sun.security.provider.certpath.ConstraintsChecker]
>
> certpath: ---checking basic constraints...
>
> certpath: i = 1, maxPathLength = 2
>
> certpath: after processing, maxPathLength = 1
>
> certpath: basic constraints verified.
>
> certpath: ---checking name constraints...
>
> certpath: prevNC = null, newNC = null
>
> certpath: mergedNC = null
>
> certpath: name constraints verified.
>
> certpath: -checker4 validation succeeded
>
> certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
>
> certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
>
> certpath: PolicyChecker.checkPolicy() certIndex = 1
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING:
> inhibitAnyPolicy = 3
>
> certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree =
> anyPolicy ROOT
>
> certpath: PolicyChecker.processPolicies() policiesCritical = false
>
> certpath: PolicyChecker.processPolicies() rejectPolicyQualifiers = true
>
> certpath: PolicyChecker.processPolicies() processing policy: 2.5.29.32.0
>
> certpath: PolicyChecker.processParents(): matchAny = true
>
> certpath: PolicyChecker.processParents() found parent:
>
> anyPolicy ROOT
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
>
> certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree =
> anyPolicy ROOT
>
> anyPolicy CRIT: false EP: anyPolicy (1)
>
> certpath: PolicyChecker.checkPolicy() certificate policies verified
>
> certpath: -checker5 validation succeeded
>
> certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
>
> certpath: ---checking validity:Mon Nov 19 10:39:25 CET 2018...
>
> certpath: validity verified.
>
> certpath: ---checking subject/issuer name chaining...
>
> certpath: subject/issuer name chaining verified.
>
> certpath: ---checking signature...
>
> certpath: signature verified.
>
> certpath: BasicChecker.updateState issuer: CN=Actalis Authentication
> Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT; subject:
> CN=Actalis Extended Validation Server CA G1, O=Actalis
> S.p.A./03358520967, L=Milano, ST=Milano, C=IT; serial#: 3663163709977533131
>
> certpath: -checker6 validation succeeded
>
> certpath: -Using checker7 ...
> [sun.security.provider.certpath.RevocationChecker]
>
> certpath: RevocationChecker.check: checking cert
>
> SN: 32d62bfc 67501acb
>
> Subject: CN=Actalis Extended Validation Server CA G1, O=Actalis
> S.p.A./03358520967, L=Milano, ST=Milano, C=IT
>
> Issuer: CN=Actalis Authentication Root CA, O=Actalis
> S.p.A./03358520967, L=Milan, C=IT
>
> certpath: RevocationChecker.checkCRLs() ---checking revocation status ...
>
> certpath: RevocationChecker.checkCRLs() possible crls.size() = 0
>
> certpath: RevocationChecker.checkCRLs() approved crls.size() = 0
>
> certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for
> CN=Actalis Extended Validation Server CA G1, O=Actalis
> S.p.A./03358520967, L=Milano, ST=Milano, C=IT
>
> certpath: Trying to fetch CRL from DP
> ldap://ldap05.actalis.it/cn%3dActalis%20Authentication%20Root%20CA,o%3dActalis%20S.p.A.%2f03358520967,c%3dIT?certificateRevocationList;binary
>
> certpath: CertStore
> URI:ldap://ldap05.actalis.it/cn%3dActalis%20Authentication%20Root%20CA,o%3dActalis%20S.p.A.%2f03358520967,c%3dIT?certificateRevocationList;binary
>
> certpath: LDAPCertStore.engineGetCRLs() selector: null
>
> certpath: X509CertSelector.match(SN: 3c9131cb1ff6d01b0e9ab8d044bf12be
>
> Issuer: OU=Class 3 Public Primary Certification Authority,
> O="VeriSign, Inc.", C=US
>
> Subject: OU=Class 3 Public Primary Certification Authority,
> O="VeriSign, Inc.", C=US)
>
> certpath: X509CertSelector.match: subject DNs don't match
>
> certpath: X509CertSelector.match(SN: 67c8e1e8e3be1cbdfc913b8ea6238749
>
> Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte,
> L=Durbanville, ST=Western Cape, C=ZA
>
> Subject: CN=Thawte Timestamping CA, OU=Thawte Certification,
> O=Thawte, L=Durbanville, ST=Western Cape, C=ZA)
>
> certpath: X509CertSelector.match: subject DNs don't match
>
> java.lang.RuntimeException: TEST FAILED: couldn't determine EE
> certificate status
>
> at
> ValidatePathWithParams.validate(ValidatePathWithParams.java:177)
>
> at ActalisCA.main(ActalisCA.java:235)
>
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
>
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
> at
> java.base/java.lang.reflect.Method.invoke(Method.java:566)
>
> at
> com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:115)
>
> at java.base/java.lang.Thread.run(Thread.java:834)
>
> JavaTest Message: Test threw exception: java.lang.RuntimeException: TEST
> FAILED: couldn't determine EE certificate status
>
> JavaTest Message: shutting down test
>
> STATUS:Failed.`main' threw exception: java.lang.RuntimeException: TEST
> FAILED: couldn't determine EE certificate status
>
More information about the security-dev
mailing list