micrcx / openid4java

Automatically exported from code.google.com/p/openid4java
Apache License 2.0
0 stars 0 forks source link

JVM's root certs don't validate myopenid.com SSL cert #27

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Ok in browser; openid4java logs show:

Error talking to https://www.myopenid.com/server response code: -1 
CLASS:consumer.ConsumerManager TP-Processor10  
javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path validation failed: 
java.security.cert.CertPathValidatorExcepti
on: subject/issuer name chaining check failed
        at 
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
        at 
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
        at 
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
        at 
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker
.java:848)
        at 
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.ja
va:106)
        at 
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
        at 
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl
.java:1030)
        at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:622)
        at 
com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
        at 
java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
        at 
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
        at 
org.apache.commons.httpclient.methods.StringRequestEntity.writeRequest(StringReq
uestEntity.java:150)
        at 
org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(Ent
ityEnclosingMethod.java:495)
        at 
org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:19
73)
        at 
java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
        at 
org.apache.commons.httpclient.methods.StringRequestEntity.writeRequest(StringReq
uestEntity.java:150)
        at 
org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(Ent
ityEnclosingMethod.java:495)
        at 
org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:19
73)
        at 
org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
        at 
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDire
ctor.java:397)
        at 
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirecto
r.java:170)
        at 
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
        at 
org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:19
73)
        at 
org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
        at 
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDire
ctor.java:397)
        at 
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirecto
r.java:170)
        at 
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
        at 
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
        at 
org.openid4java.consumer.ConsumerManager.call(ConsumerManager.java:569)
        at 
org.openid4java.consumer.ConsumerManager.associate(ConsumerManager.java:725)
        at 
org.openid4java.consumer.ConsumerManager.associate(ConsumerManager.java:612)
        at 
com.sxip.apollo.rp.web.IndexController.buildFetchReq(IndexController.java:200)
        at 
com.sxip.apollo.rp.web.IndexController.handleRequestInternal(IndexController.jav
a:132)
        at 
org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractCon
troller.java:153)
        at 
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(Simple
ControllerHandlerAdapter.java:45)
        at 
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.j
ava:806)
        at 
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.ja
va:736)
        at 
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet
.java:396)
        at 
org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:36
0)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilt
erChain.java:252)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.
java:173)
        at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:2
13)
        at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:1
78)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
        at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107
)
        at 
org.apache.catalina.valves.RequestDumperValve.invoke(RequestDumperValve.java:150
)
        at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
        at 
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:199)
        at 
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:282)
        at 
org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:767)
        at 
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:697)
        at 
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:889
)
        at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:68
4)
        at java.lang.Thread.run(Thread.java:595)
Caused by: sun.security.validator.ValidatorException: PKIX path validation 
failed: java.security.cert.CertPathValidatorException: subject/issuer name 
ch
aining check failed
        at 
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:187)
        at 
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:139)
        at sun.security.validator.Validator.validate(Validator.java:203)
        at 
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMa
nagerImpl.java:172)
        at 
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextI
mpl.java:320)
        at 
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker
.java:841)
        ... 47 more
Caused by: java.security.cert.CertPathValidatorException: subject/issuer 
name chaining check failed
        at 
sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCe
rtPathValidator.java:139)
        at 
sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathVali
dator.java:316)
        at 
sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPath
Validator.java:178)
        at 
java.security.cert.CertPathValidator.validate(CertPathValidator.java:206)
        at 
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:182)
        ... 52 more

Original issue reported on code.google.com by Johnny.B...@gmail.com on 11 Sep 2007 at 4:30

GoogleCodeExporter commented 9 years ago
Similar errors show up with:

- Bouncy Castle's JCE provider:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX 
path validation failed: java.security.cert.CertPathValidatorException: Could 
not 
validate certificate signature.
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
[...]
Caused by: java.security.cert.CertPathValidatorException: Could not validate 
certificate signature.
    at 
org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(PKIXCertPa
thValidatorSpi.java:312)
Caused by: java.security.InvalidKeyException: Public key presented not for 
certificate signature
    at 
org.bouncycastle.jce.provider.X509CertificateObject.checkSignature(X509Certifica
teObject.java:745)

- IBM's Java2 5.0 JDK (and JCE provider):
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path validation 
failed: java.security.cert.CertPathValidatorException: Fail to verify issuer; 
internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error
[...]
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining 
error
    at com.ibm.security.cert.CertPathUtil.verifyIssuer(CertPathUtil.java:226)

Original comment by Johnny.B...@gmail.com on 30 Nov 2007 at 10:56

GoogleCodeExporter commented 9 years ago
$ openssl s_client -connect myopenid.com:443
[...]
---
Certificate chain
 0 s:/C=US/O=*.myopenid.com/OU=GT08468175/OU=See www.rapidssl.com/resources/cps 
(c)07/OU=Domain Control Validated - RapidSSL(R)/CN=*.myopenid.com
   i:/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://
www.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/
emailAddress=practices@starfieldtech.com
   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy 
Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
---

It seems that JCE libraries (Sun, IBM, and Bouncy Castle) all try to validate 
the 
signature of the *.myopenid.com certificate using the certificate issued by 
Valicert, rather than the one issued by Equifax.

Browsers seem to perform the validation against the Equifax certificate (the 
Valicert one doesn't show up).

Original comment by Johnny.B...@gmail.com on 30 Nov 2007 at 11:16

GoogleCodeExporter commented 9 years ago
Maybe time to make the SSL trust validation configurable? See also: 
http://code.google.com/p/openid4java/issues/detail?id=114

Original comment by frank.co...@gmail.com on 4 Jan 2011 at 12:43