Hello, since 18th / 19th November we notice an error in the jtreg test security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java
(on all platforms, for example linux x86_64 ). Has anyone else seen the issue, or is it just us ? Thanks, Matthias Error (stderr) output is : :stdErr: Mon Nov 19 10:39:26 CET 2018 certpath: PKIXCertPathValidator.engineValidate()... certpath: X509CertSelector.match(SN: 36122296c5e338a520a1d25f4cd70954 Issuer: EMAILADDRESS=premium-ser...@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Subject: EMAILADDRESS=premium-ser...@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 3c9131cb1ff6d01b0e9ab8d044bf12be Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 570a119742c4e3cc Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT Subject: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT) certpath: X509CertSelector.match returning: true certpath: YES - try this trustedCert certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT certpath: Constraints: MD2 certpath: Constraints: MD5 certpath: Constraints: SHA1 jdkCA & usage TLSServer certpath: Constraints set to jdkCA. certpath: Constraints usage length is 1 certpath: Constraints: RSA keySize < 1024 certpath: Constraints set to keySize: keySize < 1024 certpath: Constraints: DSA keySize < 1024 certpath: Constraints set to keySize: keySize < 1024 certpath: Constraints: EC keySize < 224 certpath: Constraints set to keySize: keySize < 224 certpath: AlgorithmChecker.contains: SHA256withRSA certpath: AnchorCertificate.contains: matched CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT certpath: trustedMatch = true certpath: -------------------------------------------------------------- certpath: Executing PKIX certification path validation algorithm. certpath: Checking cert1 - Subject: CN=Actalis Extended Validation Server CA G1, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19} certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker] certpath: -checker1 validation succeeded certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker] certpath: Constraints.permits(): SHA256withRSA Variant: generic certpath: KeySizeConstraints.permits(): RSA certpath: -checker2 validation succeeded certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker] certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage... certpath: KeyChecker.verifyCAKeyUsage() CA key usage verified. certpath: -checker3 validation succeeded certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker] certpath: ---checking basic constraints... certpath: i = 1, maxPathLength = 2 certpath: after processing, maxPathLength = 1 certpath: basic constraints verified. certpath: ---checking name constraints... certpath: prevNC = null, newNC = null certpath: mergedNC = null certpath: name constraints verified. certpath: -checker4 validation succeeded certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker] certpath: PolicyChecker.checkPolicy() ---checking certificate policies... certpath: PolicyChecker.checkPolicy() certIndex = 1 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 3 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOT certpath: PolicyChecker.processPolicies() policiesCritical = false certpath: PolicyChecker.processPolicies() rejectPolicyQualifiers = true certpath: PolicyChecker.processPolicies() processing policy: 2.5.29.32.0 certpath: PolicyChecker.processParents(): matchAny = true certpath: PolicyChecker.processParents() found parent: anyPolicy ROOT certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = anyPolicy ROOT anyPolicy CRIT: false EP: anyPolicy (1) certpath: PolicyChecker.checkPolicy() certificate policies verified certpath: -checker5 validation succeeded certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker] certpath: ---checking validity:Mon Nov 19 10:39:24 CET 2018... certpath: validity verified. certpath: ---checking subject/issuer name chaining... certpath: subject/issuer name chaining verified. certpath: ---checking signature... certpath: signature verified. certpath: BasicChecker.updateState issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT; subject: CN=Actalis Extended Validation Server CA G1, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT; serial#: 3663163709977533131 certpath: -checker6 validation succeeded certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker] certpath: RevocationChecker.check: checking cert SN: 32d62bfc 67501acb Subject: CN=Actalis Extended Validation Server CA G1, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT certpath: connecting to OCSP service at: http://ocsp05.actalis.it/VA/AUTH-ROOT certpath: OCSP response status: SUCCESSFUL certpath: OCSP response type: basic certpath: Responder ID: byName: CN=Actalis Authentication Root CA - OCSP Responder, O=Actalis S.p.A./03358520967, C=IT certpath: OCSP response produced at: Mon Nov 19 10:39:24 CET 2018 certpath: OCSP number of SingleResponses: 1 certpath: thisUpdate: Fri Oct 19 14:29:36 CEST 2018 certpath: nextUpdate: Thu Jan 17 13:29:36 CET 2019 certpath: OCSP response cert #1: CN=Actalis Authentication Root CA - OCSP Responder, O=Actalis S.p.A./03358520967, C=IT certpath: Status of certificate (with serial number 3663163709977533131) is: GOOD certpath: AlgorithmChecker.contains: SHA256withRSA certpath: AnchorCertificate.contains: matched CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT certpath: trustedMatch = true certpath: Constraints.permits(): SHA256withRSA Variant: generic certpath: KeySizeConstraints.permits(): RSA certpath: Responder's certificate includes the extension id-pkix-ocsp-nocheck. certpath: OCSP response is signed by an Authorized Responder certpath: Constraints.permits(): SHA1withRSA Variant: generic certpath: jdkCAConstraints.permits(): SHA1 certpath: Verified signature of OCSP Response certpath: OCSP response validity interval is from Fri Oct 19 14:29:36 CEST 2018 until Thu Jan 17 13:29:36 CET 2019 certpath: Checking validity of OCSP response on: Mon Nov 19 10:39:24 CET 2018 certpath: -checker7 validation succeeded certpath: cert1 validation succeeded. certpath: Checking cert2 - Subject: OID.1.3.6.1.4.1.311.60.2.1.3=IT, STREET=Via S. Clemente 53, OID.2.5.4.15=Private Organization, CN=www.actalis.it, SERIALNUMBER=03358520967, O=Actalis S.p.A., L=Ponte San Pietro, ST=Bergamo, C=IT certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19} certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker] certpath: -checker1 validation succeeded certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker] certpath: Constraints.permits(): SHA256withRSA Variant: generic certpath: KeySizeConstraints.permits(): RSA certpath: -checker2 validation succeeded certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker] certpath: -checker3 validation succeeded certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker] certpath: ---checking basic constraints... certpath: i = 2, maxPathLength = 1 certpath: after processing, maxPathLength = 1 certpath: basic constraints verified. certpath: ---checking name constraints... certpath: prevNC = null, newNC = null certpath: mergedNC = null certpath: name constraints verified. certpath: -checker4 validation succeeded certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker] certpath: PolicyChecker.checkPolicy() ---checking certificate policies... certpath: PolicyChecker.checkPolicy() certIndex = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOT anyPolicy CRIT: false EP: anyPolicy (1) certpath: PolicyChecker.processPolicies() policiesCritical = false certpath: PolicyChecker.processPolicies() rejectPolicyQualifiers = true certpath: PolicyChecker.processPolicies() processing policy: 1.3.159.1.17.1 certpath: PolicyChecker.processParents(): matchAny = false certpath: PolicyChecker.processParents(): matchAny = true certpath: PolicyChecker.processParents() found parent: anyPolicy CRIT: false EP: anyPolicy (1) certpath: PolicyChecker.processPolicies() processing policy: 2.23.140.1.1 certpath: PolicyChecker.processParents(): matchAny = false certpath: PolicyChecker.processParents(): matchAny = true certpath: PolicyChecker.processParents() found parent: anyPolicy CRIT: false EP: anyPolicy (1) certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = anyPolicy ROOT anyPolicy CRIT: false EP: anyPolicy (1) 1.3.159.1.17.1 CRIT: false EP: 1.3.159.1.17.1 (2) 2.23.140.1.1 CRIT: false EP: 2.23.140.1.1 (2) certpath: PolicyChecker.checkPolicy() certificate policies verified certpath: -checker5 validation succeeded certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker] certpath: ---checking validity:Mon Nov 19 10:39:24 CET 2018... certpath: validity verified. certpath: ---checking subject/issuer name chaining... certpath: subject/issuer name chaining verified. certpath: ---checking signature... certpath: signature verified. certpath: BasicChecker.updateState issuer: CN=Actalis Extended Validation Server CA G1, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT; subject: OID.1.3.6.1.4.1.311.60.2.1.3=IT, STREET=Via S. Clemente 53, OID.2.5.4.15=Private Organization, CN=www.actalis.it, SERIALNUMBER=03358520967, O=Actalis S.p.A., L=Ponte San Pietro, ST=Bergamo, C=IT; serial#: 1076059514591231458 certpath: -checker6 validation succeeded certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker] certpath: RevocationChecker.check: checking cert SN: 0eeeee6d 6463bde2 Subject: OID.1.3.6.1.4.1.311.60.2.1.3=IT, STREET=Via S. Clemente 53, OID.2.5.4.15=Private Organization, CN=www.actalis.it, SERIALNUMBER=03358520967, O=Actalis S.p.A., L=Ponte San Pietro, ST=Bergamo, C=IT Issuer: CN=Actalis Extended Validation Server CA G1, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT certpath: connecting to OCSP service at: http://ocsp05.actalis.it/VA/AUTHEV-G1 certpath: OCSP response status: SUCCESSFUL certpath: OCSP response type: basic certpath: Responder ID: byName: CN=Actalis Extended Validation Server CA G1 - OCSP Responder, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT certpath: OCSP response produced at: Mon Nov 19 10:39:24 CET 2018 certpath: OCSP number of SingleResponses: 1 certpath: thisUpdate: Mon Nov 19 07:19:26 CET 2018 certpath: nextUpdate: Tue Nov 20 07:19:26 CET 2018 certpath: OCSP response cert #1: CN=Actalis Extended Validation Server CA G1 - OCSP Responder, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT certpath: Status of certificate (with serial number 1076059514591231458) is: GOOD certpath: AlgorithmChecker.contains: SHA256withRSA certpath: AnchorCertificate.contains: matched CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT certpath: trustedMatch = true certpath: Constraints.permits(): SHA256withRSA Variant: generic certpath: KeySizeConstraints.permits(): RSA certpath: Responder's certificate includes the extension id-pkix-ocsp-nocheck. certpath: OCSP response is signed by an Authorized Responder certpath: Constraints.permits(): SHA1withRSA Variant: generic certpath: jdkCAConstraints.permits(): SHA1 certpath: Verified signature of OCSP Response certpath: OCSP response validity interval is from Mon Nov 19 07:19:26 CET 2018 until Tue Nov 20 07:19:26 CET 2018 certpath: Checking validity of OCSP response on: Mon Nov 19 10:39:25 CET 2018 certpath: -checker7 validation succeeded certpath: cert2 validation succeeded. certpath: Cert path validation succeeded. (PKIX validation algorithm) certpath: -------------------------------------------------------------- certpath: PKIXCertPathValidator.engineValidate()... certpath: X509CertSelector.match(SN: 3c9131cb1ff6d01b0e9ab8d044bf12be Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 7dd9fe07cfa81eb7107967fba78934c6 Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 570a119742c4e3cc Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT Subject: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT) certpath: X509CertSelector.match returning: true certpath: YES - try this trustedCert certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT certpath: AlgorithmChecker.contains: SHA256withRSA certpath: AnchorCertificate.contains: matched CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT certpath: trustedMatch = true certpath: -------------------------------------------------------------- certpath: Executing PKIX certification path validation algorithm. certpath: Checking cert1 - Subject: CN=Actalis Authentication CA G3, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19} certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker] certpath: -checker1 validation succeeded certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker] certpath: Constraints.permits(): SHA256withRSA Variant: generic certpath: KeySizeConstraints.permits(): RSA certpath: -checker2 validation succeeded certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker] certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage... certpath: KeyChecker.verifyCAKeyUsage() CA key usage verified. certpath: -checker3 validation succeeded certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker] certpath: ---checking basic constraints... certpath: i = 1, maxPathLength = 2 certpath: after processing, maxPathLength = 1 certpath: basic constraints verified. certpath: ---checking name constraints... certpath: prevNC = null, newNC = null certpath: mergedNC = null certpath: name constraints verified. certpath: -checker4 validation succeeded certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker] certpath: PolicyChecker.checkPolicy() ---checking certificate policies... certpath: PolicyChecker.checkPolicy() certIndex = 1 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 3 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOT certpath: PolicyChecker.processPolicies() policiesCritical = false certpath: PolicyChecker.processPolicies() rejectPolicyQualifiers = true certpath: PolicyChecker.processPolicies() processing policy: 2.5.29.32.0 certpath: PolicyChecker.processParents(): matchAny = true certpath: PolicyChecker.processParents() found parent: anyPolicy ROOT certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = anyPolicy ROOT anyPolicy CRIT: false EP: anyPolicy (1) certpath: PolicyChecker.checkPolicy() certificate policies verified certpath: -checker5 validation succeeded certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker] certpath: ---checking validity:Fri Jul 01 00:00:00 CEST 2016... certpath: validity verified. certpath: ---checking subject/issuer name chaining... certpath: subject/issuer name chaining verified. certpath: ---checking signature... certpath: signature verified. certpath: BasicChecker.updateState issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT; subject: CN=Actalis Authentication CA G3, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT; serial#: 8366940759504193212 certpath: -checker6 validation succeeded certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker] certpath: RevocationChecker.check: checking cert SN: 741d584a 72fc06bc Subject: CN=Actalis Authentication CA G3, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT certpath: connecting to OCSP service at: http://portal.actalis.it/VA/AUTH-ROOT certpath: OCSP response status: SUCCESSFUL certpath: OCSP response type: basic certpath: Responder ID: byName: CN=Actalis Authentication Root CA - OCSP Responder, O=Actalis S.p.A./03358520967, C=IT certpath: OCSP response produced at: Mon Nov 19 10:39:25 CET 2018 certpath: OCSP number of SingleResponses: 1 certpath: thisUpdate: Fri Oct 19 14:29:36 CEST 2018 certpath: nextUpdate: Thu Jan 17 13:29:36 CET 2019 certpath: OCSP response cert #1: CN=Actalis Authentication Root CA - OCSP Responder, O=Actalis S.p.A./03358520967, C=IT certpath: Status of certificate (with serial number 8366940759504193212) is: GOOD certpath: AlgorithmChecker.contains: SHA256withRSA certpath: AnchorCertificate.contains: matched CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT certpath: trustedMatch = true certpath: Constraints.permits(): SHA256withRSA Variant: generic certpath: KeySizeConstraints.permits(): RSA certpath: Responder's certificate includes the extension id-pkix-ocsp-nocheck. certpath: OCSP response is signed by an Authorized Responder certpath: Constraints.permits(): SHA1withRSA Variant: generic certpath: jdkCAConstraints.permits(): SHA1 certpath: Verified signature of OCSP Response certpath: OCSP response validity interval is from Fri Oct 19 14:29:36 CEST 2018 until Thu Jan 17 13:29:36 CET 2019 certpath: Checking validity of OCSP response on: Mon Nov 19 10:39:25 CET 2018 certpath: -checker7 validation succeeded certpath: cert1 validation succeeded. certpath: Checking cert2 - Subject: CN=ssltest-r.actalis.it, O=Actalis S.p.A., L=Ponte San Pietro, ST=Bergamo, C=IT certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19} certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker] certpath: -checker1 validation succeeded certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker] certpath: Constraints.permits(): SHA256withRSA Variant: generic certpath: KeySizeConstraints.permits(): RSA certpath: -checker2 validation succeeded certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker] certpath: -checker3 validation succeeded certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker] certpath: ---checking basic constraints... certpath: i = 2, maxPathLength = 1 certpath: after processing, maxPathLength = 1 certpath: basic constraints verified. certpath: ---checking name constraints... certpath: prevNC = null, newNC = null certpath: mergedNC = null certpath: name constraints verified. certpath: -checker4 validation succeeded certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker] certpath: PolicyChecker.checkPolicy() ---checking certificate policies... certpath: PolicyChecker.checkPolicy() certIndex = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOT anyPolicy CRIT: false EP: anyPolicy (1) certpath: PolicyChecker.processPolicies() policiesCritical = false certpath: PolicyChecker.processPolicies() rejectPolicyQualifiers = true certpath: PolicyChecker.processPolicies() processing policy: 1.3.159.1.20.1 certpath: PolicyChecker.processParents(): matchAny = false certpath: PolicyChecker.processParents(): matchAny = true certpath: PolicyChecker.processParents() found parent: anyPolicy CRIT: false EP: anyPolicy (1) certpath: PolicyChecker.processPolicies() processing policy: 2.23.140.1.2.2 certpath: PolicyChecker.processParents(): matchAny = false certpath: PolicyChecker.processParents(): matchAny = true certpath: PolicyChecker.processParents() found parent: anyPolicy CRIT: false EP: anyPolicy (1) certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = anyPolicy ROOT anyPolicy CRIT: false EP: anyPolicy (1) 2.23.140.1.2.2 CRIT: false EP: 2.23.140.1.2.2 (2) 1.3.159.1.20.1 CRIT: false EP: 1.3.159.1.20.1 (2) certpath: PolicyChecker.checkPolicy() certificate policies verified certpath: -checker5 validation succeeded certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker] certpath: ---checking validity:Fri Jul 01 00:00:00 CEST 2016... certpath: validity verified. certpath: ---checking subject/issuer name chaining... certpath: subject/issuer name chaining verified. certpath: ---checking signature... certpath: signature verified. certpath: BasicChecker.updateState issuer: CN=Actalis Authentication CA G3, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT; subject: CN=ssltest-r.actalis.it, O=Actalis S.p.A., L=Ponte San Pietro, ST=Bergamo, C=IT; serial#: 312400490844506479 certpath: -checker6 validation succeeded certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker] certpath: RevocationChecker.check: checking cert SN: 0455de97 5c71c96f Subject: CN=ssltest-r.actalis.it, O=Actalis S.p.A., L=Ponte San Pietro, ST=Bergamo, C=IT Issuer: CN=Actalis Authentication CA G3, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT certpath: connecting to OCSP service at: http://ocsp03.actalis.it/VA/AUTH-G3 certpath: OCSP response status: SUCCESSFUL certpath: OCSP response type: basic certpath: Responder ID: byName: CN=Actalis Authentication CA G3 - OCSP Responder, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT certpath: OCSP response produced at: Mon Nov 19 10:39:25 CET 2018 certpath: OCSP number of SingleResponses: 1 certpath: Revocation time: Fri Jan 29 10:06:42 CET 2016 certpath: Revocation reason: CESSATION_OF_OPERATION certpath: thisUpdate: Mon Nov 19 06:46:50 CET 2018 certpath: nextUpdate: Tue Nov 20 06:46:50 CET 2018 certpath: OCSP response cert #1: CN=Actalis Authentication CA G3 - OCSP Responder, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT certpath: Status of certificate (with serial number 312400490844506479) is: REVOKED certpath: AlgorithmChecker.contains: SHA256withRSA certpath: AnchorCertificate.contains: matched CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT certpath: trustedMatch = true certpath: Constraints.permits(): SHA256withRSA Variant: generic certpath: KeySizeConstraints.permits(): RSA certpath: Responder's certificate includes the extension id-pkix-ocsp-nocheck. certpath: OCSP response is signed by an Authorized Responder certpath: Constraints.permits(): SHA1withRSA Variant: generic certpath: jdkCAConstraints.permits(): SHA1 certpath: Verified signature of OCSP Response certpath: OCSP response validity interval is from Mon Nov 19 06:46:50 CET 2018 until Tue Nov 20 06:46:50 CET 2018 certpath: Checking validity of OCSP response on: Mon Nov 19 10:39:25 CET 2018 certpath: X509CertSelector.match(SN: 1a5 Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 9b7e0649a33e62b9d5ee90487129ef57 Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: b92f60cc889fa17a4609b85b706c8aaf Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 67c8e1e8e3be1cbdfc913b8ea6238749 Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA Subject: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 10020 Issuer: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL Subject: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 36122296c5e338a520a1d25f4cd70954 Issuer: EMAILADDRESS=premium-ser...@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Subject: EMAILADDRESS=premium-ser...@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA) certpath: X509CertSelector.match: subject DNs don't match STATUS:Passed. -------------------------------- certpath: PKIXCertPathValidator.engineValidate()... certpath: X509CertSelector.match(SN: 9b7e0649a33e62b9d5ee90487129ef57 Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 1a5 Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 10020 Issuer: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL Subject: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 7dd9fe07cfa81eb7107967fba78934c6 Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 36122296c5e338a520a1d25f4cd70954 Issuer: EMAILADDRESS=premium-ser...@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA Subject: EMAILADDRESS=premium-ser...@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: b92f60cc889fa17a4609b85b706c8aaf Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 570a119742c4e3cc Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT Subject: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT) certpath: X509CertSelector.match returning: true certpath: YES - try this trustedCert certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT certpath: Constraints: MD2 certpath: Constraints: MD5 certpath: Constraints: SHA1 jdkCA & usage TLSServer certpath: Constraints set to jdkCA. certpath: Constraints usage length is 1 certpath: Constraints: RSA keySize < 1024 certpath: Constraints set to keySize: keySize < 1024 certpath: Constraints: DSA keySize < 1024 certpath: Constraints set to keySize: keySize < 1024 certpath: Constraints: EC keySize < 224 certpath: Constraints set to keySize: keySize < 224 certpath: AlgorithmChecker.contains: SHA256withRSA certpath: AnchorCertificate.contains: matched CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT certpath: trustedMatch = true certpath: -------------------------------------------------------------- certpath: Executing PKIX certification path validation algorithm. certpath: Checking cert1 - Subject: CN=Actalis Extended Validation Server CA G1, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19} certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker] certpath: -checker1 validation succeeded certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker] certpath: Constraints.permits(): SHA256withRSA Variant: generic certpath: KeySizeConstraints.permits(): RSA certpath: -checker2 validation succeeded certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker] certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage... certpath: KeyChecker.verifyCAKeyUsage() CA key usage verified. certpath: -checker3 validation succeeded certpath: -Using checker4 ... [sun.security.provider.certpath.ConstraintsChecker] certpath: ---checking basic constraints... certpath: i = 1, maxPathLength = 2 certpath: after processing, maxPathLength = 1 certpath: basic constraints verified. certpath: ---checking name constraints... certpath: prevNC = null, newNC = null certpath: mergedNC = null certpath: name constraints verified. certpath: -checker4 validation succeeded certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker] certpath: PolicyChecker.checkPolicy() ---checking certificate policies... certpath: PolicyChecker.checkPolicy() certIndex = 1 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 3 certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy ROOT certpath: PolicyChecker.processPolicies() policiesCritical = false certpath: PolicyChecker.processPolicies() rejectPolicyQualifiers = true certpath: PolicyChecker.processPolicies() processing policy: 2.5.29.32.0 certpath: PolicyChecker.processParents(): matchAny = true certpath: PolicyChecker.processParents() found parent: anyPolicy ROOT certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2 certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = anyPolicy ROOT anyPolicy CRIT: false EP: anyPolicy (1) certpath: PolicyChecker.checkPolicy() certificate policies verified certpath: -checker5 validation succeeded certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker] certpath: ---checking validity:Mon Nov 19 10:39:25 CET 2018... certpath: validity verified. certpath: ---checking subject/issuer name chaining... certpath: subject/issuer name chaining verified. certpath: ---checking signature... certpath: signature verified. certpath: BasicChecker.updateState issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT; subject: CN=Actalis Extended Validation Server CA G1, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT; serial#: 3663163709977533131 certpath: -checker6 validation succeeded certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker] certpath: RevocationChecker.check: checking cert SN: 32d62bfc 67501acb Subject: CN=Actalis Extended Validation Server CA G1, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT certpath: RevocationChecker.checkCRLs() ---checking revocation status ... certpath: RevocationChecker.checkCRLs() possible crls.size() = 0 certpath: RevocationChecker.checkCRLs() approved crls.size() = 0 certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for CN=Actalis Extended Validation Server CA G1, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT certpath: Trying to fetch CRL from DP ldap://ldap05.actalis.it/cn%3dActalis%20Authentication%20Root%20CA,o%3dActalis%20S.p.A.%2f03358520967,c%3dIT?certificateRevocationList;binary certpath: CertStore URI:ldap://ldap05.actalis.it/cn%3dActalis%20Authentication%20Root%20CA,o%3dActalis%20S.p.A.%2f03358520967,c%3dIT?certificateRevocationList;binary certpath: LDAPCertStore.engineGetCRLs() selector: null certpath: X509CertSelector.match(SN: 3c9131cb1ff6d01b0e9ab8d044bf12be Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US) certpath: X509CertSelector.match: subject DNs don't match certpath: X509CertSelector.match(SN: 67c8e1e8e3be1cbdfc913b8ea6238749 Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA Subject: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA) certpath: X509CertSelector.match: subject DNs don't match java.lang.RuntimeException: TEST FAILED: couldn't determine EE certificate status at ValidatePathWithParams.validate(ValidatePathWithParams.java:177) at ActalisCA.main(ActalisCA.java:235) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:115) at java.base/java.lang.Thread.run(Thread.java:834) JavaTest Message: Test threw exception: java.lang.RuntimeException: TEST FAILED: couldn't determine EE certificate status JavaTest Message: shutting down test STATUS:Failed.`main' threw exception: java.lang.RuntimeException: TEST FAILED: couldn't determine EE certificate status