RFR (XS) : 8133489: Better messaging for PKIX path validation matching

Thu, 20 Jun 2019 05:59:04 -0700

A simple debugging enhancement to print out subjectkey ID details when mismatch is encountered. I encountered a DER encoding issue with an application server team a good while back and needed such a patch to debug the issue correctly. I added -Djava.security.debug=certpath to a testcase which tests this functionality. Sample output : 

certpath: X509CertSelector.match: subject key IDs don't match
certpath: 509CertSelector.match: subjectKeyID: [4, 20, -12, -2, 115, 79, -15, 106, 114, -58, 102, 43, 32, 26, 120, -76, -33, 50, -45, -56, -16, -38] certpath: 509CertSelector.match: certSubjectKeyID: [4, 20, -111, 93, -48, -86, -39, 59, -128, -118, 45, -10, 126, -76, -115, 126, -99, -106, -116, 107, 124, -63] 

regards,
Sean.


diff --git 
a/src/java.base/share/classes/java/security/cert/X509CertSelector.java 
b/src/java.base/share/classes/java/security/cert/X509CertSelector.java

--- a/src/java.base/share/classes/java/security/cert/X509CertSelector.java
+++ b/src/java.base/share/classes/java/security/cert/X509CertSelector.java
@@ -2117,6 +2117,10 @@
                 if (debug != null) {
                     debug.println("X509CertSelector.match: "
                         + "subject key IDs don't match");
+                    debug.println("509CertSelector.match:" +
+                        " subjectKeyID: " + Arrays.toString(subjectKeyID));
+                    debug.println("509CertSelector.match:" +

+                        " certSubjectKeyID: " + 
Arrays.toString(certSubjectKeyID));

                 }
                 return false;
             }

diff --git 
a/test/jdk/java/security/cert/CertPathBuilder/selfIssued/KeyUsageMatters.java 
b/test/jdk/java/security/cert/CertPathBuilder/selfIssued/KeyUsageMatters.java
--- 
a/test/jdk/java/security/cert/CertPathBuilder/selfIssued/KeyUsageMatters.java
+++ 
b/test/jdk/java/security/cert/CertPathBuilder/selfIssued/KeyUsageMatters.java

@@ -29,13 +29,13 @@

 /**
  * @test
- * @bug 6852744
+ * @bug 6852744 8133489
  * @summary PIT b61: PKI test suite fails because self signed certificates
  *          are being rejected
  * @modules java.base/sun.security.util
- * @run main/othervm KeyUsageMatters subca
- * @run main/othervm KeyUsageMatters subci
- * @run main/othervm KeyUsageMatters alice
+ * @run main/othervm -Djava.security.debug=certpath KeyUsageMatters subca
+ * @run main/othervm -Djava.security.debug=certpath KeyUsageMatters subci
+ * @run main/othervm -Djava.security.debug=certpath KeyUsageMatters alice
  * @author Xuelei Fan
  */























					Reply via email to