jtreg test security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java instabilities

Fri, 17 Jan 2020 05:11:43 -0800 

Hello,   I wonder if you have some input regarding the following issue.

I noticed a couple  of instabilities  (in jdk13 and  higher)  in  the   test  
security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java
  .

The test sometimes fails  when validating the "validity interval"  of  OCSP 
responses :
Example output is like :

certpath: OCSP response validity interval is from Wed Dec 04 01:05:27 CET 2019
certpath: Checking validity of OCSP response on: Wed Dec 04 01:39:15 CET 2019   
      <---------  default  interval  is system time "on" machine  +/- 15 
minutes  , this is seen as valid by OpenJDK
  ...
java.lang.RuntimeException: TEST FAILED: couldn't determine EE certificate 
status
                at 
ValidatePathWithParams.validate(ValidatePathWithParams.java:177)
                at LuxTrustCA.main(LuxTrustCA.java:186)
                at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
                at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                at java.base/java.lang.reflect.Method.invoke(Method.java:564)
                at 
com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
                at java.base/java.lang.Thread.run(Thread.java:832)


stdout contains :
Received exception: java.security.cert.CertPathValidatorException: Response is 
unreliable: its validity interval is out-of-date


So our   system time "on" machine   ( 01:39:15 CET 2019    +/- 15 minutes  )   
does not contain   the time   from  OCSP response  ( 01:05:27 CET 2019) .
Reason is  unclear , of course   the time   on the  test machine could be wrong 
 but we see the issue on multiple machines  and  when looking  into the system 
times of the machines they look fine .
Maybe the time  info  from the OCSP response  is wrong ,  at least   it looks 
like  this is the issue here .



Have you seen similar issues  (also in other tests dealing with OCSP response 
validity checks) ?


Do you think that  increasing the  acceptance interval  e.g.  by setting  it  
to    -Dcom.sun.security.ocsp.clockSkew=9000000    in   
security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java
    would be okay ?
( I'd like to add a little  bit more tracing too so that in case of such errors 
 it is easier to understand  the issue )


Best regards,  Matthias

Reply via email to