Hello, since 18th / 19th November we notice an error in the jtreg test
security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java
(on all platforms, for example linux x86_64 ).
Has anyone else seen the issue, or is it just us ?
Thanks, Matthias
Error (stderr) output is :
:stdErr:
Mon Nov 19 10:39:26 CET 2018
certpath: PKIXCertPathValidator.engineValidate()...
certpath: X509CertSelector.match(SN: 36122296c5e338a520a1d25f4cd70954
Issuer: EMAILADDRESS=premium-ser...@thawte.com, CN=Thawte Premium Server CA,
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town,
ST=Western Cape, C=ZA
Subject: EMAILADDRESS=premium-ser...@thawte.com, CN=Thawte Premium Server CA,
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town,
ST=Western Cape, C=ZA)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 3c9131cb1ff6d01b0e9ab8d044bf12be
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 570a119742c4e3cc
Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967,
L=Milan, C=IT
Subject: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967,
L=Milan, C=IT)
certpath: X509CertSelector.match returning: true
certpath: YES - try this trustedCert
certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Actalis
Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
certpath: Constraints: MD2
certpath: Constraints: MD5
certpath: Constraints: SHA1 jdkCA & usage TLSServer
certpath: Constraints set to jdkCA.
certpath: Constraints usage length is 1
certpath: Constraints: RSA keySize < 1024
certpath: Constraints set to keySize: keySize < 1024
certpath: Constraints: DSA keySize < 1024
certpath: Constraints set to keySize: keySize < 1024
certpath: Constraints: EC keySize < 224
certpath: Constraints set to keySize: keySize < 224
certpath: AlgorithmChecker.contains: SHA256withRSA
certpath: AnchorCertificate.contains: matched CN=Actalis Authentication Root
CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
certpath: trustedMatch = true
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 - Subject: CN=Actalis Extended Validation Server CA
G1, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT
certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19}
certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: Constraints.permits(): SHA256withRSA Variant: generic
certpath: KeySizeConstraints.permits(): RSA
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage...
certpath: KeyChecker.verifyCAKeyUsage() CA key usage verified.
certpath: -checker3 validation succeeded
certpath: -Using checker4 ...
[sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 1, maxPathLength = 2
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null, newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 1
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy
ROOT
certpath: PolicyChecker.processPolicies() policiesCritical = false
certpath: PolicyChecker.processPolicies() rejectPolicyQualifiers = true
certpath: PolicyChecker.processPolicies() processing policy: 2.5.29.32.0
certpath: PolicyChecker.processParents(): matchAny = true
certpath: PolicyChecker.processParents() found parent:
anyPolicy ROOT
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = anyPolicy
ROOT
anyPolicy CRIT: false EP: anyPolicy (1)
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking validity:Mon Nov 19 10:39:24 CET 2018...
certpath: validity verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=Actalis Authentication Root CA,
O=Actalis S.p.A./03358520967, L=Milan, C=IT; subject: CN=Actalis Extended
Validation Server CA G1, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano,
C=IT; serial#: 3663163709977533131
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker]
certpath: RevocationChecker.check: checking cert
SN: 32d62bfc 67501acb
Subject: CN=Actalis Extended Validation Server CA G1, O=Actalis
S.p.A./03358520967, L=Milano, ST=Milano, C=IT
Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967,
L=Milan, C=IT
certpath: connecting to OCSP service at: http://ocsp05.actalis.it/VA/AUTH-ROOT
certpath: OCSP response status: SUCCESSFUL
certpath: OCSP response type: basic
certpath: Responder ID: byName: CN=Actalis Authentication Root CA - OCSP
Responder, O=Actalis S.p.A./03358520967, C=IT
certpath: OCSP response produced at: Mon Nov 19 10:39:24 CET 2018
certpath: OCSP number of SingleResponses: 1
certpath: thisUpdate: Fri Oct 19 14:29:36 CEST 2018
certpath: nextUpdate: Thu Jan 17 13:29:36 CET 2019
certpath: OCSP response cert #1: CN=Actalis Authentication Root CA - OCSP
Responder, O=Actalis S.p.A./03358520967, C=IT
certpath: Status of certificate (with serial number 3663163709977533131) is:
GOOD
certpath: AlgorithmChecker.contains: SHA256withRSA
certpath: AnchorCertificate.contains: matched CN=Actalis Authentication Root
CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
certpath: trustedMatch = true
certpath: Constraints.permits(): SHA256withRSA Variant: generic
certpath: KeySizeConstraints.permits(): RSA
certpath: Responder's certificate includes the extension id-pkix-ocsp-nocheck.
certpath: OCSP response is signed by an Authorized Responder
certpath: Constraints.permits(): SHA1withRSA Variant: generic
certpath: jdkCAConstraints.permits(): SHA1
certpath: Verified signature of OCSP Response
certpath: OCSP response validity interval is from Fri Oct 19 14:29:36 CEST 2018
until Thu Jan 17 13:29:36 CET 2019
certpath: Checking validity of OCSP response on: Mon Nov 19 10:39:24 CET 2018
certpath: -checker7 validation succeeded
certpath:
cert1 validation succeeded.
certpath: Checking cert2 - Subject: OID.1.3.6.1.4.1.311.60.2.1.3=IT, STREET=Via
S. Clemente 53, OID.2.5.4.15=Private Organization, CN=www.actalis.it,
SERIALNUMBER=03358520967, O=Actalis S.p.A., L=Ponte San Pietro, ST=Bergamo, C=IT
certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19}
certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: Constraints.permits(): SHA256withRSA Variant: generic
certpath: KeySizeConstraints.permits(): RSA
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
certpath: -checker3 validation succeeded
certpath: -Using checker4 ...
[sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 2, maxPathLength = 1
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null, newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy
ROOT
anyPolicy CRIT: false EP: anyPolicy (1)
certpath: PolicyChecker.processPolicies() policiesCritical = false
certpath: PolicyChecker.processPolicies() rejectPolicyQualifiers = true
certpath: PolicyChecker.processPolicies() processing policy: 1.3.159.1.17.1
certpath: PolicyChecker.processParents(): matchAny = false
certpath: PolicyChecker.processParents(): matchAny = true
certpath: PolicyChecker.processParents() found parent:
anyPolicy CRIT: false EP: anyPolicy (1)
certpath: PolicyChecker.processPolicies() processing policy: 2.23.140.1.1
certpath: PolicyChecker.processParents(): matchAny = false
certpath: PolicyChecker.processParents(): matchAny = true
certpath: PolicyChecker.processParents() found parent:
anyPolicy CRIT: false EP: anyPolicy (1)
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = anyPolicy
ROOT
anyPolicy CRIT: false EP: anyPolicy (1)
1.3.159.1.17.1 CRIT: false EP: 1.3.159.1.17.1 (2)
2.23.140.1.1 CRIT: false EP: 2.23.140.1.1 (2)
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking validity:Mon Nov 19 10:39:24 CET 2018...
certpath: validity verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=Actalis Extended Validation
Server CA G1, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT; subject:
OID.1.3.6.1.4.1.311.60.2.1.3=IT, STREET=Via S. Clemente 53,
OID.2.5.4.15=Private Organization, CN=www.actalis.it, SERIALNUMBER=03358520967,
O=Actalis S.p.A., L=Ponte San Pietro, ST=Bergamo, C=IT; serial#:
1076059514591231458
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker]
certpath: RevocationChecker.check: checking cert
SN: 0eeeee6d 6463bde2
Subject: OID.1.3.6.1.4.1.311.60.2.1.3=IT, STREET=Via S. Clemente 53,
OID.2.5.4.15=Private Organization, CN=www.actalis.it, SERIALNUMBER=03358520967,
O=Actalis S.p.A., L=Ponte San Pietro, ST=Bergamo, C=IT
Issuer: CN=Actalis Extended Validation Server CA G1, O=Actalis
S.p.A./03358520967, L=Milano, ST=Milano, C=IT
certpath: connecting to OCSP service at: http://ocsp05.actalis.it/VA/AUTHEV-G1
certpath: OCSP response status: SUCCESSFUL
certpath: OCSP response type: basic
certpath: Responder ID: byName: CN=Actalis Extended Validation Server CA G1 -
OCSP Responder, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT
certpath: OCSP response produced at: Mon Nov 19 10:39:24 CET 2018
certpath: OCSP number of SingleResponses: 1
certpath: thisUpdate: Mon Nov 19 07:19:26 CET 2018
certpath: nextUpdate: Tue Nov 20 07:19:26 CET 2018
certpath: OCSP response cert #1: CN=Actalis Extended Validation Server CA G1 -
OCSP Responder, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT
certpath: Status of certificate (with serial number 1076059514591231458) is:
GOOD
certpath: AlgorithmChecker.contains: SHA256withRSA
certpath: AnchorCertificate.contains: matched CN=Actalis Authentication Root
CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
certpath: trustedMatch = true
certpath: Constraints.permits(): SHA256withRSA Variant: generic
certpath: KeySizeConstraints.permits(): RSA
certpath: Responder's certificate includes the extension id-pkix-ocsp-nocheck.
certpath: OCSP response is signed by an Authorized Responder
certpath: Constraints.permits(): SHA1withRSA Variant: generic
certpath: jdkCAConstraints.permits(): SHA1
certpath: Verified signature of OCSP Response
certpath: OCSP response validity interval is from Mon Nov 19 07:19:26 CET 2018
until Tue Nov 20 07:19:26 CET 2018
certpath: Checking validity of OCSP response on: Mon Nov 19 10:39:25 CET 2018
certpath: -checker7 validation succeeded
certpath:
cert2 validation succeeded.
certpath: Cert path validation succeeded. (PKIX validation algorithm)
certpath: --------------------------------------------------------------
certpath: PKIXCertPathValidator.engineValidate()...
certpath: X509CertSelector.match(SN: 3c9131cb1ff6d01b0e9ab8d044bf12be
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 7dd9fe07cfa81eb7107967fba78934c6
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 3 Public Primary Certification Authority - G2,
O="VeriSign, Inc.", C=US
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 3 Public Primary Certification Authority - G2,
O="VeriSign, Inc.", C=US)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 570a119742c4e3cc
Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967,
L=Milan, C=IT
Subject: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967,
L=Milan, C=IT)
certpath: X509CertSelector.match returning: true
certpath: YES - try this trustedCert
certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Actalis
Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
certpath: AlgorithmChecker.contains: SHA256withRSA
certpath: AnchorCertificate.contains: matched CN=Actalis Authentication Root
CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
certpath: trustedMatch = true
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 - Subject: CN=Actalis Authentication CA G3, O=Actalis
S.p.A./03358520967, L=Milano, ST=Milano, C=IT
certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19}
certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: Constraints.permits(): SHA256withRSA Variant: generic
certpath: KeySizeConstraints.permits(): RSA
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage...
certpath: KeyChecker.verifyCAKeyUsage() CA key usage verified.
certpath: -checker3 validation succeeded
certpath: -Using checker4 ...
[sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 1, maxPathLength = 2
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null, newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 1
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy
ROOT
certpath: PolicyChecker.processPolicies() policiesCritical = false
certpath: PolicyChecker.processPolicies() rejectPolicyQualifiers = true
certpath: PolicyChecker.processPolicies() processing policy: 2.5.29.32.0
certpath: PolicyChecker.processParents(): matchAny = true
certpath: PolicyChecker.processParents() found parent:
anyPolicy ROOT
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = anyPolicy
ROOT
anyPolicy CRIT: false EP: anyPolicy (1)
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking validity:Fri Jul 01 00:00:00 CEST 2016...
certpath: validity verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=Actalis Authentication Root CA,
O=Actalis S.p.A./03358520967, L=Milan, C=IT; subject: CN=Actalis Authentication
CA G3, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT; serial#:
8366940759504193212
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker]
certpath: RevocationChecker.check: checking cert
SN: 741d584a 72fc06bc
Subject: CN=Actalis Authentication CA G3, O=Actalis S.p.A./03358520967,
L=Milano, ST=Milano, C=IT
Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967,
L=Milan, C=IT
certpath: connecting to OCSP service at: http://portal.actalis.it/VA/AUTH-ROOT
certpath: OCSP response status: SUCCESSFUL
certpath: OCSP response type: basic
certpath: Responder ID: byName: CN=Actalis Authentication Root CA - OCSP
Responder, O=Actalis S.p.A./03358520967, C=IT
certpath: OCSP response produced at: Mon Nov 19 10:39:25 CET 2018
certpath: OCSP number of SingleResponses: 1
certpath: thisUpdate: Fri Oct 19 14:29:36 CEST 2018
certpath: nextUpdate: Thu Jan 17 13:29:36 CET 2019
certpath: OCSP response cert #1: CN=Actalis Authentication Root CA - OCSP
Responder, O=Actalis S.p.A./03358520967, C=IT
certpath: Status of certificate (with serial number 8366940759504193212) is:
GOOD
certpath: AlgorithmChecker.contains: SHA256withRSA
certpath: AnchorCertificate.contains: matched CN=Actalis Authentication Root
CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
certpath: trustedMatch = true
certpath: Constraints.permits(): SHA256withRSA Variant: generic
certpath: KeySizeConstraints.permits(): RSA
certpath: Responder's certificate includes the extension id-pkix-ocsp-nocheck.
certpath: OCSP response is signed by an Authorized Responder
certpath: Constraints.permits(): SHA1withRSA Variant: generic
certpath: jdkCAConstraints.permits(): SHA1
certpath: Verified signature of OCSP Response
certpath: OCSP response validity interval is from Fri Oct 19 14:29:36 CEST 2018
until Thu Jan 17 13:29:36 CET 2019
certpath: Checking validity of OCSP response on: Mon Nov 19 10:39:25 CET 2018
certpath: -checker7 validation succeeded
certpath:
cert1 validation succeeded.
certpath: Checking cert2 - Subject: CN=ssltest-r.actalis.it, O=Actalis S.p.A.,
L=Ponte San Pietro, ST=Bergamo, C=IT
certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19}
certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: Constraints.permits(): SHA256withRSA Variant: generic
certpath: KeySizeConstraints.permits(): RSA
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
certpath: -checker3 validation succeeded
certpath: -Using checker4 ...
[sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 2, maxPathLength = 1
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null, newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy
ROOT
anyPolicy CRIT: false EP: anyPolicy (1)
certpath: PolicyChecker.processPolicies() policiesCritical = false
certpath: PolicyChecker.processPolicies() rejectPolicyQualifiers = true
certpath: PolicyChecker.processPolicies() processing policy: 1.3.159.1.20.1
certpath: PolicyChecker.processParents(): matchAny = false
certpath: PolicyChecker.processParents(): matchAny = true
certpath: PolicyChecker.processParents() found parent:
anyPolicy CRIT: false EP: anyPolicy (1)
certpath: PolicyChecker.processPolicies() processing policy: 2.23.140.1.2.2
certpath: PolicyChecker.processParents(): matchAny = false
certpath: PolicyChecker.processParents(): matchAny = true
certpath: PolicyChecker.processParents() found parent:
anyPolicy CRIT: false EP: anyPolicy (1)
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = anyPolicy
ROOT
anyPolicy CRIT: false EP: anyPolicy (1)
2.23.140.1.2.2 CRIT: false EP: 2.23.140.1.2.2 (2)
1.3.159.1.20.1 CRIT: false EP: 1.3.159.1.20.1 (2)
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking validity:Fri Jul 01 00:00:00 CEST 2016...
certpath: validity verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=Actalis Authentication CA G3,
O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT; subject:
CN=ssltest-r.actalis.it, O=Actalis S.p.A., L=Ponte San Pietro, ST=Bergamo,
C=IT; serial#: 312400490844506479
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker]
certpath: RevocationChecker.check: checking cert
SN: 0455de97 5c71c96f
Subject: CN=ssltest-r.actalis.it, O=Actalis S.p.A., L=Ponte San Pietro,
ST=Bergamo, C=IT
Issuer: CN=Actalis Authentication CA G3, O=Actalis S.p.A./03358520967,
L=Milano, ST=Milano, C=IT
certpath: connecting to OCSP service at: http://ocsp03.actalis.it/VA/AUTH-G3
certpath: OCSP response status: SUCCESSFUL
certpath: OCSP response type: basic
certpath: Responder ID: byName: CN=Actalis Authentication CA G3 - OCSP
Responder, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT
certpath: OCSP response produced at: Mon Nov 19 10:39:25 CET 2018
certpath: OCSP number of SingleResponses: 1
certpath: Revocation time: Fri Jan 29 10:06:42 CET 2016
certpath: Revocation reason: CESSATION_OF_OPERATION
certpath: thisUpdate: Mon Nov 19 06:46:50 CET 2018
certpath: nextUpdate: Tue Nov 20 06:46:50 CET 2018
certpath: OCSP response cert #1: CN=Actalis Authentication CA G3 - OCSP
Responder, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT
certpath: Status of certificate (with serial number 312400490844506479) is:
REVOKED
certpath: AlgorithmChecker.contains: SHA256withRSA
certpath: AnchorCertificate.contains: matched CN=Actalis Authentication Root
CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
certpath: trustedMatch = true
certpath: Constraints.permits(): SHA256withRSA Variant: generic
certpath: KeySizeConstraints.permits(): RSA
certpath: Responder's certificate includes the extension id-pkix-ocsp-nocheck.
certpath: OCSP response is signed by an Authorized Responder
certpath: Constraints.permits(): SHA1withRSA Variant: generic
certpath: jdkCAConstraints.permits(): SHA1
certpath: Verified signature of OCSP Response
certpath: OCSP response validity interval is from Mon Nov 19 06:46:50 CET 2018
until Tue Nov 20 06:46:50 CET 2018
certpath: Checking validity of OCSP response on: Mon Nov 19 10:39:25 CET 2018
certpath: X509CertSelector.match(SN: 1a5
Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.",
O=GTE Corporation, C=US
Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.",
O=GTE Corporation, C=US)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 9b7e0649a33e62b9d5ee90487129ef57
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,
OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3,
OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: b92f60cc889fa17a4609b85b706c8aaf
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 2 Public Primary Certification Authority - G2,
O="VeriSign, Inc.", C=US
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 2 Public Primary Certification Authority - G2,
O="VeriSign, Inc.", C=US)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 67c8e1e8e3be1cbdfc913b8ea6238749
Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte,
L=Durbanville, ST=Western Cape, C=ZA
Subject: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte,
L=Durbanville, ST=Western Cape, C=ZA)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 10020
Issuer: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
Subject: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 36122296c5e338a520a1d25f4cd70954
Issuer: EMAILADDRESS=premium-ser...@thawte.com, CN=Thawte Premium Server CA,
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town,
ST=Western Cape, C=ZA
Subject: EMAILADDRESS=premium-ser...@thawte.com, CN=Thawte Premium Server CA,
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town,
ST=Western Cape, C=ZA)
certpath: X509CertSelector.match: subject DNs don't match
STATUS:Passed.
--------------------------------
certpath: PKIXCertPathValidator.engineValidate()...
certpath: X509CertSelector.match(SN: 9b7e0649a33e62b9d5ee90487129ef57
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,
OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US
Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3,
OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust
Network, O="VeriSign, Inc.", C=US)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 1a5
Issuer: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.",
O=GTE Corporation, C=US
Subject: CN=GTE CyberTrust Global Root, OU="GTE CyberTrust Solutions, Inc.",
O=GTE Corporation, C=US)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 10020
Issuer: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
Subject: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 7dd9fe07cfa81eb7107967fba78934c6
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 3 Public Primary Certification Authority - G2,
O="VeriSign, Inc.", C=US
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 3 Public Primary Certification Authority - G2,
O="VeriSign, Inc.", C=US)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 36122296c5e338a520a1d25f4cd70954
Issuer: EMAILADDRESS=premium-ser...@thawte.com, CN=Thawte Premium Server CA,
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town,
ST=Western Cape, C=ZA
Subject: EMAILADDRESS=premium-ser...@thawte.com, CN=Thawte Premium Server CA,
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town,
ST=Western Cape, C=ZA)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: b92f60cc889fa17a4609b85b706c8aaf
Issuer: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 2 Public Primary Certification Authority - G2,
O="VeriSign, Inc.", C=US
Subject: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For
authorized use only", OU=Class 2 Public Primary Certification Authority - G2,
O="VeriSign, Inc.", C=US)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 570a119742c4e3cc
Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967,
L=Milan, C=IT
Subject: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967,
L=Milan, C=IT)
certpath: X509CertSelector.match returning: true
certpath: YES - try this trustedCert
certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=Actalis
Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
certpath: Constraints: MD2
certpath: Constraints: MD5
certpath: Constraints: SHA1 jdkCA & usage TLSServer
certpath: Constraints set to jdkCA.
certpath: Constraints usage length is 1
certpath: Constraints: RSA keySize < 1024
certpath: Constraints set to keySize: keySize < 1024
certpath: Constraints: DSA keySize < 1024
certpath: Constraints set to keySize: keySize < 1024
certpath: Constraints: EC keySize < 224
certpath: Constraints set to keySize: keySize < 224
certpath: AlgorithmChecker.contains: SHA256withRSA
certpath: AnchorCertificate.contains: matched CN=Actalis Authentication Root
CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
certpath: trustedMatch = true
certpath: --------------------------------------------------------------
certpath: Executing PKIX certification path validation algorithm.
certpath: Checking cert1 - Subject: CN=Actalis Extended Validation Server CA
G1, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano, C=IT
certpath: Set of critical extensions: {2.5.29.15, 2.5.29.19}
certpath: -Using checker1 ... [sun.security.provider.certpath.UntrustedChecker]
certpath: -checker1 validation succeeded
certpath: -Using checker2 ... [sun.security.provider.certpath.AlgorithmChecker]
certpath: Constraints.permits(): SHA256withRSA Variant: generic
certpath: KeySizeConstraints.permits(): RSA
certpath: -checker2 validation succeeded
certpath: -Using checker3 ... [sun.security.provider.certpath.KeyChecker]
certpath: KeyChecker.verifyCAKeyUsage() ---checking CA key usage...
certpath: KeyChecker.verifyCAKeyUsage() CA key usage verified.
certpath: -checker3 validation succeeded
certpath: -Using checker4 ...
[sun.security.provider.certpath.ConstraintsChecker]
certpath: ---checking basic constraints...
certpath: i = 1, maxPathLength = 2
certpath: after processing, maxPathLength = 1
certpath: basic constraints verified.
certpath: ---checking name constraints...
certpath: prevNC = null, newNC = null
certpath: mergedNC = null
certpath: name constraints verified.
certpath: -checker4 validation succeeded
certpath: -Using checker5 ... [sun.security.provider.certpath.PolicyChecker]
certpath: PolicyChecker.checkPolicy() ---checking certificate policies...
certpath: PolicyChecker.checkPolicy() certIndex = 1
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: explicitPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyMapping = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: inhibitAnyPolicy = 3
certpath: PolicyChecker.checkPolicy() BEFORE PROCESSING: policyTree = anyPolicy
ROOT
certpath: PolicyChecker.processPolicies() policiesCritical = false
certpath: PolicyChecker.processPolicies() rejectPolicyQualifiers = true
certpath: PolicyChecker.processPolicies() processing policy: 2.5.29.32.0
certpath: PolicyChecker.processParents(): matchAny = true
certpath: PolicyChecker.processParents() found parent:
anyPolicy ROOT
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: explicitPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyMapping = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: inhibitAnyPolicy = 2
certpath: PolicyChecker.checkPolicy() AFTER PROCESSING: policyTree = anyPolicy
ROOT
anyPolicy CRIT: false EP: anyPolicy (1)
certpath: PolicyChecker.checkPolicy() certificate policies verified
certpath: -checker5 validation succeeded
certpath: -Using checker6 ... [sun.security.provider.certpath.BasicChecker]
certpath: ---checking validity:Mon Nov 19 10:39:25 CET 2018...
certpath: validity verified.
certpath: ---checking subject/issuer name chaining...
certpath: subject/issuer name chaining verified.
certpath: ---checking signature...
certpath: signature verified.
certpath: BasicChecker.updateState issuer: CN=Actalis Authentication Root CA,
O=Actalis S.p.A./03358520967, L=Milan, C=IT; subject: CN=Actalis Extended
Validation Server CA G1, O=Actalis S.p.A./03358520967, L=Milano, ST=Milano,
C=IT; serial#: 3663163709977533131
certpath: -checker6 validation succeeded
certpath: -Using checker7 ... [sun.security.provider.certpath.RevocationChecker]
certpath: RevocationChecker.check: checking cert
SN: 32d62bfc 67501acb
Subject: CN=Actalis Extended Validation Server CA G1, O=Actalis
S.p.A./03358520967, L=Milano, ST=Milano, C=IT
Issuer: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967,
L=Milan, C=IT
certpath: RevocationChecker.checkCRLs() ---checking revocation status ...
certpath: RevocationChecker.checkCRLs() possible crls.size() = 0
certpath: RevocationChecker.checkCRLs() approved crls.size() = 0
certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for CN=Actalis
Extended Validation Server CA G1, O=Actalis S.p.A./03358520967, L=Milano,
ST=Milano, C=IT
certpath: Trying to fetch CRL from DP
ldap://ldap05.actalis.it/cn%3dActalis%20Authentication%20Root%20CA,o%3dActalis%20S.p.A.%2f03358520967,c%3dIT?certificateRevocationList;binary
certpath: CertStore
URI:ldap://ldap05.actalis.it/cn%3dActalis%20Authentication%20Root%20CA,o%3dActalis%20S.p.A.%2f03358520967,c%3dIT?certificateRevocationList;binary
certpath: LDAPCertStore.engineGetCRLs() selector: null
certpath: X509CertSelector.match(SN: 3c9131cb1ff6d01b0e9ab8d044bf12be
Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US
Subject: OU=Class 3 Public Primary Certification Authority, O="VeriSign,
Inc.", C=US)
certpath: X509CertSelector.match: subject DNs don't match
certpath: X509CertSelector.match(SN: 67c8e1e8e3be1cbdfc913b8ea6238749
Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte,
L=Durbanville, ST=Western Cape, C=ZA
Subject: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte,
L=Durbanville, ST=Western Cape, C=ZA)
certpath: X509CertSelector.match: subject DNs don't match
java.lang.RuntimeException: TEST FAILED: couldn't determine EE certificate
status
at
ValidatePathWithParams.validate(ValidatePathWithParams.java:177)
at ActalisCA.main(ActalisCA.java:235)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at
com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:115)
at java.base/java.lang.Thread.run(Thread.java:834)
JavaTest Message: Test threw exception: java.lang.RuntimeException: TEST
FAILED: couldn't determine EE certificate status
JavaTest Message: shutting down test
STATUS:Failed.`main' threw exception: java.lang.RuntimeException: TEST FAILED:
couldn't determine EE certificate status
