RFR (XS) : 8133489: Better messaging for PKIX path validation matching
Seán Coffey
sean.coffey at oracle.com
Thu Jun 20 12:56:56 UTC 2019
A simple debugging enhancement to print out subjectkey ID details when
mismatch is encountered. I encountered a DER encoding issue with an
application server team a good while back and needed such a patch to
debug the issue correctly. I added -Djava.security.debug=certpath to a
testcase which tests this functionality. Sample output :
certpath: X509CertSelector.match: subject key IDs don't match
certpath: 509CertSelector.match: subjectKeyID: [4, 20, -12, -2, 115, 79,
-15, 106, 114, -58, 102, 43, 32, 26, 120, -76, -33, 50, -45, -56, -16, -38]
certpath: 509CertSelector.match: certSubjectKeyID: [4, 20, -111, 93,
-48, -86, -39, 59, -128, -118, 45, -10, 126, -76, -115, 126, -99, -106,
-116, 107, 124, -63]
regards,
Sean.
diff --git
a/src/java.base/share/classes/java/security/cert/X509CertSelector.java
b/src/java.base/share/classes/java/security/cert/X509CertSelector.java
--- a/src/java.base/share/classes/java/security/cert/X509CertSelector.java
+++ b/src/java.base/share/classes/java/security/cert/X509CertSelector.java
@@ -2117,6 +2117,10 @@
if (debug != null) {
debug.println("X509CertSelector.match: "
+ "subject key IDs don't match");
+ debug.println("509CertSelector.match:" +
+ " subjectKeyID: " + Arrays.toString(subjectKeyID));
+ debug.println("509CertSelector.match:" +
+ " certSubjectKeyID: " +
Arrays.toString(certSubjectKeyID));
}
return false;
}
diff --git
a/test/jdk/java/security/cert/CertPathBuilder/selfIssued/KeyUsageMatters.java
b/test/jdk/java/security/cert/CertPathBuilder/selfIssued/KeyUsageMatters.java
---
a/test/jdk/java/security/cert/CertPathBuilder/selfIssued/KeyUsageMatters.java
+++
b/test/jdk/java/security/cert/CertPathBuilder/selfIssued/KeyUsageMatters.java
@@ -29,13 +29,13 @@
/**
* @test
- * @bug 6852744
+ * @bug 6852744 8133489
* @summary PIT b61: PKI test suite fails because self signed certificates
* are being rejected
* @modules java.base/sun.security.util
- * @run main/othervm KeyUsageMatters subca
- * @run main/othervm KeyUsageMatters subci
- * @run main/othervm KeyUsageMatters alice
+ * @run main/othervm -Djava.security.debug=certpath KeyUsageMatters subca
+ * @run main/othervm -Djava.security.debug=certpath KeyUsageMatters subci
+ * @run main/othervm -Djava.security.debug=certpath KeyUsageMatters alice
* @author Xuelei Fan
*/
More information about the security-dev
mailing list