Hi Pooja,
While your request on its own seems reasonable, I am also wary about
adding too much noise to the debugging logs. Dumping an entire
certificate's contents to a log file is a lot of information. OTOH,
there may be more complicated certpath building scenarios, in which a
lot of repeated certificates are encountered, thus filling up the logs
with mostly information that is not useful.
I am curious as to how many certificates were involved in building this
chain? The log message gives a very good clue as to what the problem
might be. Was it really that hard to find out that two of them had the
same subject, public key and SAN?
Thanks,
Sean
On 7/28/25 7:22 AM, Pooja D P wrote:
Hi Sean,
Thank you for taking a look on my request for the *Suggestion to Improve
Debug Messaging on CertPath. *
I hadn’t received the follow-up email earlier, even though I had
subscribed to the mailing list. There was an issue with the
subscription, but it's now resolved and completed successfully. That’s
how I came across your response. Apologies for the delay in getting back
to you.
To reply for your question below,
*>> If the certificate contains the same public key, subject and SAN,
why does validation fail?*
If two certificate shares the same subject, public key, and SANs but
with *different serail number* the actual certificate will be ignored.
During the cert path validation process code detects two certificates as
duplicates and the code first match it finds is the certificate created
by the application not the actual certificate used by the customer.
Because here server expects matching certificate and valid trust store
and it received default certificate which is created by application
causing the TLS certificate validation to fail.
The certpath debug trace shows that it found a "duplicate", but it
doesn't state that it's going to ignore it, and doesn't provide any
information on which certificates are actually
involved.
Suggestion/Can be Improved as below in :
_https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/
sun/security/provider/certpath/SunCertPathBuilder.java#L583 <https://
github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/
security/provider/certpath/SunCertPathBuilder.java#L583>_
*debug.println("Certificate with repeated subject, public key, and
subjectAltNames will be ignored" + cert);*
Or
*debug.println("Certificate with repeated subject, public key, and
subjectAltNames detected: " + cert);*
While this may not be a common customer scenario, but the enhancement is
simple to implement and would significantly improve the clarity of
debugging in certificate-related issues.
Please let me know your thoughts.
Thanks,
Pooja
/
/
*
*
*
*
*
*
