security/infra/java/security/cert/CertPathValidator/certification/GlobalSignR6CA.java jtreg test errors

Rajan Halade RAJAN.HALADE at ORACLE.COM
Fri Mar 20 16:45:25 UTC 2020


Hi Matthias,

I tried several runs of this test but am not able to reproduce the issue. May be requests from my tests are routed to different OCSP instance. OCSP responder instance can return internalError for inconsistent internal state.

How frequent is the failure for you if you are still seeing it?
 
Thanks,
Rajan

> On Mar 19, 2020, at 4:23 AM, Baesken, Matthias <matthias.baesken at sap.com> wrote:
> 
> Hello, for a few days we see the test security/infra/java/security/cert/CertPathValidator/certification/GlobalSignR6CA.java
> failing sometimes. The failures are seen not only in jdk/jdk but also in jdk11, that's why we suppose it might be
> some issue with the infrastructure and/or certificate authority ?
>  
> The errors  are like this one  (shows up on different OS platforms) :
> ...
>  
>   Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
>   Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US)
> certpath: X509CertSelector.match: subject DNs don't match
> java.lang.RuntimeException: TEST FAILED: couldn't determine EE certificate status
>                at ValidatePathWithParams.validate(ValidatePathWithParams.java:177)
>                at GlobalSignR6CA.main(GlobalSignR6CA.java:192)
>                at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>                at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>                at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>                at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>                at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
>                at java.base/java.lang.Thread.run(Thread.java:834)
> Caused by: java.security.cert.CertPathValidatorException: OCSP response error: INTERNAL_ERROR
>                at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
>                at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:237)
>                at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:145)
>                at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:84)
>                at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
>                at ValidatePathWithParams.doCertPathValidate(ValidatePathWithParams.java:288)
>                at ValidatePathWithParams.validate(ValidatePathWithParams.java:142)
>                ... 7 more
> Caused by: java.security.cert.CertPathValidatorException: OCSP response error: INTERNAL_ERROR
>                at java.base/sun.security.provider.certpath.OCSPResponse.verify(OCSPResponse.java:386)
>                at java.base/sun.security.provider.certpath.OCSP.check(OCSP.java:195)
>                at java.base/sun.security.provider.certpath.RevocationChecker.checkOCSP(RevocationChecker.java:742)
>                at java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:362)
>                at java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:336)
>                at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
>                ... 13 more
>  
> Do you notice the issue in your jtreg tests as well ?
>  
> Any hints about this ?
>  
> Thanks, Matthias

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20200320/2572f181/attachment.htm>


More information about the security-dev mailing list