Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-7441

EJBCA WS tests fail with SunCertPathBuilderException

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: EJBCA 6.14.1.1
    • Fix Version/s: EJBCA 6.15.1
    • Component/s: None
    • Labels:
      None
    • Sprint:
      EJBCA Sprint 21 Team Bob

      Description

      When running ant test:runws now almost all tests fail with:

      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      

      Enabling debugging with -Dtests.jvmargs="-Djavax.net.debug=ssl:handshake -Djava.security.debug=certpath,provider" narrows down the issue to

      ...
      trustStore is: /etc/pki/java/cacerts
      ...
      %% Invalidated:  [Session-86, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
      main, SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown
      

      which implies that Java's built in truststore is used instead of the one we try to set in the WS tests by specifying

               System.setProperty("javax.net.ssl.trustStore", TEST_ADMIN_FILE);
               System.setProperty("javax.net.ssl.trustStorePassword", PASSWORD);
               System.setProperty("javax.net.ssl.keyStore", TEST_ADMIN_FILE);
               System.setProperty("javax.net.ssl.keyStorePassword", PASSWORD);
      

      The working theory is that some other part of the JVM does a TLS connection before the WS test code runs which will initiate the default socket factory and that already initiate socket factory will be used for WS connections without re-checking our configured properties.

      Changing this to using a custom socket factory for new connections like the following resolves the issue:

      HttpsURLConnection.setDefaultSSLSocketFactory(getSSLFactory(TEST_ADMIN_FILE, PASSWORD.toCharArray()));
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                johan Johan Eklund
                Reporter:
                johan Johan Eklund
                Verified by:
                Samuel Lidén Borell
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: