Open GoogleCodeExporter opened 8 years ago
Similar errors show up with:
- Bouncy Castle's JCE provider:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX
path validation failed: java.security.cert.CertPathValidatorException: Could
not
validate certificate signature.
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
[...]
Caused by: java.security.cert.CertPathValidatorException: Could not validate
certificate signature.
at
org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(PKIXCertPa
thValidatorSpi.java:312)
Caused by: java.security.InvalidKeyException: Public key presented not for
certificate signature
at
org.bouncycastle.jce.provider.X509CertificateObject.checkSignature(X509Certifica
teObject.java:745)
- IBM's Java2 5.0 JDK (and JCE provider):
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path validation
failed: java.security.cert.CertPathValidatorException: Fail to verify issuer;
internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
[...]
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining
error
at com.ibm.security.cert.CertPathUtil.verifyIssuer(CertPathUtil.java:226)
Original comment by Johnny.B...@gmail.com
on 30 Nov 2007 at 10:56
$ openssl s_client -connect myopenid.com:443
[...]
---
Certificate chain
0 s:/C=US/O=*.myopenid.com/OU=GT08468175/OU=See www.rapidssl.com/resources/cps
(c)07/OU=Domain Control Validated - RapidSSL(R)/CN=*.myopenid.com
i:/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
1 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://
www.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/
emailAddress=practices@starfieldtech.com
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy
Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
---
It seems that JCE libraries (Sun, IBM, and Bouncy Castle) all try to validate
the
signature of the *.myopenid.com certificate using the certificate issued by
Valicert, rather than the one issued by Equifax.
Browsers seem to perform the validation against the Equifax certificate (the
Valicert one doesn't show up).
Original comment by Johnny.B...@gmail.com
on 30 Nov 2007 at 11:16
Maybe time to make the SSL trust validation configurable? See also:
http://code.google.com/p/openid4java/issues/detail?id=114
Original comment by frank.co...@gmail.com
on 4 Jan 2011 at 12:43
Original issue reported on code.google.com by
Johnny.B...@gmail.com
on 11 Sep 2007 at 4:30