Suggestion to Improve Debug Messaging on CertPath.

Sean Mullan sean.mullan at oracle.com
Tue Jul 29 20:47:58 UTC 2025 

Hi Pooja,

While your request on its own seems reasonable, I am also wary about 
adding too much noise to the debugging logs. Dumping an entire 
certificate's contents to a log file is a lot of information. OTOH, 
there may be more complicated certpath building scenarios, in which a 
lot of repeated certificates are encountered, thus filling up the logs 
with mostly information that is not useful.

I am curious as to how many certificates were involved in building this 
chain? The log message gives a very good clue as to what the problem 
might be. Was it really that hard to find out that two of them had the 
same subject, public key and SAN?

Thanks,
Sean

On 7/28/25 7:22 AM, Pooja D P wrote:
> Hi Sean,
> Thank you for taking a look on my request for the *Suggestion to Improve 
> Debug Messaging on CertPath. *
> I hadn’t received the follow-up email earlier, even though I had 
> subscribed to the mailing list. There was an issue with the 
> subscription, but it's now resolved and completed successfully. That’s 
> how I came across your response. Apologies for the delay in getting back 
> to you.
> To reply for your question below,
> 
> *>> If the certificate contains the same public key, subject and SAN, 
> why does validation fail?*
> 
> If two certificate shares the same subject, public key, and SANs but 
> with *different serail number* the actual certificate will be ignored. 
> During the cert path validation process code detects two certificates as 
> duplicates and the code first match it finds is the certificate created 
> by the application not the actual certificate used by the customer. 
> Because here server expects matching certificate and valid trust store 
> and it received default certificate which is created by application 
> causing the  TLS certificate validation to fail.
> 
> The certpath debug trace shows that it found a "duplicate", but it 
> doesn't state that it's going to ignore it, and doesn't provide any 
> information on which certificates are actually
> involved.
> 
> Suggestion/Can be Improved as below in :
> _https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/ 
> sun/security/provider/certpath/SunCertPathBuilder.java#L583 <https:// 
> github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/ 
> security/provider/certpath/SunCertPathBuilder.java#L583>_
> *debug.println("Certificate with repeated subject, public key, and 
> subjectAltNames will be ignored" + cert);*
>    Or
> 
> *debug.println("Certificate with repeated subject, public key, and 
> subjectAltNames detected: " + cert);*
> 
> 
> While this may not be a common customer scenario, but the enhancement is 
> simple to implement and would significantly improve the clarity of 
> debugging in certificate-related issues.
> Please let me know your thoughts.
> 
> Thanks,
> Pooja
> 
> 
> /
> /
> 
> 
> *
> *
> *
> *
> 
> *
> *
>

More information about the security-dev mailing list