Hi Sean,
Thank you for taking a look on my request for the Suggestion to Improve Debug 
Messaging on CertPath.
I hadn’t received the follow-up email earlier, even though I had subscribed to 
the mailing list. There was an issue with the subscription, but it's now 
resolved and completed successfully. That’s how I came across your response. 
Apologies for the delay in getting back to you.
To reply for your question below,

 >> If the certificate contains the same public key, subject and SAN, why does 
 >> validation fail?

If two certificate shares the same subject, public key, and SANs but with 
different serail number the actual certificate will be ignored. During the cert 
path validation process code detects two certificates as duplicates and the 
code first match it finds is the certificate created by the application not the 
actual certificate used by the customer. Because here server expects matching 
certificate and valid trust store  and it received default certificate which is 
created by application causing the  TLS certificate validation to fail.

The certpath debug trace shows that it found a "duplicate", but it doesn't 
state that it's going to ignore it, and doesn't provide any information on 
which certificates are actually
involved.


Suggestion/Can be Improved as below in :
https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java#L583


debug.println("Certificate with repeated subject, public key, and 
subjectAltNames will be ignored" + cert);

                                                                                
  Or

debug.println("Certificate with repeated subject, public key, and 
subjectAltNames detected: " + cert);


While this may not be a common customer scenario, but the enhancement is simple 
to implement and would significantly improve the clarity of debugging in 
certificate-related issues.
Please let me know your thoughts.

Thanks,
Pooja








Reply via email to