OpenJDK: X.509 errors
Our goal is to simplify the ecosystem by consolidating the errors and their documentation (similarly to web documentation) and better explaining what the validation errors mean.
Correctly validating X.509 certificates turns out to be pretty complicated (e.g., Georgiev2012, Ukrop2019). Yet certificate validation is crucial for secure communication on the Internet (think TLS).
For every error, we aim to provide our redesigned documentation ( ), an example certificate ( ), original documentation provided by the library ( , unused or deprecated errors denoted by ). Furthermore, we provide links to corresponding errors from other libraries ( ). In the future, we plan on adding error frequencies based on IP-wide scans and elaborating on the consequences of individual errors.
Time validity errors
Errors occuring when a certificate is outside its validity period or when it is revoked by its CA.
Relevant links: Certificate Validity (RFC 5280), Certificate Revocation (RFC 5280)
(No detailed documentation provided by the library.)
Original error message:
java.security.cert.CertPathValidatorException: validity check failed (source)
Trust or chain related errors
These errors occur when the trust chain to the root certificate is not built correctly or fails.
Relevant links: Certificate Paths (RFC 5280), Certificate Revocation Lists (RFC 5280), OCSP (RFC 2560)
(No detailed documentation provided by the library.)
Original error message:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (source)
Basic extension errors
Errors related to extensions in general or to the BasicConstraints standard extension.
Relevant links: Certificate Extensions (RFC 5280), BasicConstraints Extension (RFC 5280)
(No detailed documentation provided by the library.)
Original error message:
java.security.cert.CertPathValidatorException: basic constraints check failed: pathLenConstraint violated - this cert must be the last cert in the certification path (source)
(No detailed documentation provided by the library.)
Original error message:
java.security.cert.CertPathValidatorException: unrecognized critical extension(s) (source)
(No detailed documentation provided by the library.)
Original error message:
java.security.cert.CertPathValidatorException: basic constraints check failed: this is not a CA certificate (source)
Name related errors
Errors signalizing problems with either hostname verification, NameConstaints standard extension or IP Address Delegation extension.
Relevant links: NameConstaints extension (RFC 5280), IP Address Delegation extension (RFC 3779), Certificate Common Name (RFC 5280)
(No detailed documentation provided by the library.)
Original error message:
javax.net.ssl.SSLHandshakeException: No name matching (source)
(No detailed documentation provided by the library.)
Original error message:
java.security.cert.CertPathValidatorException: name constraints check failed (source)
Usage and policy errors
Errors related to standard extensions CertificatePolicies, KeyUsage and ExtendedKeyUsage.
Relevant links: KeyUsage extension (RFC5280), ExtendedKeyUsage extension (RFC5280), CertificatePolicies extension (RFC5280)
(No detailed documentation provided by the library.)
Original error message:
javax.net.ssl.SSLHandshakeException: Extended key usage does not permit use for TLS server authentication (source)
(No detailed documentation provided by the library.)
Original error message:
java.security.cert.CertPathValidatorException: CA key usage check failed (source)
Algorithm related errors
Various errors signalizing usage of invalid or deprecated algorithms.
Relevant links: Algorithm and Key Size Profile for PKI (RFC 7935), Suite B Profile for TLS (RFC 6460)
(No detailed documentation provided by the library.)
Original error message:
java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. (source)
(No detailed documentation provided by the library.)
Original error message:
java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm (source)
(No detailed documentation provided by the library.)
Original error message:
javax.net.ssl.SSLException: Unsupported signature algorithm (source)
Formatting errors
These errors occur when a field of the certificate/CRL contains invalid values or is badly formatted.
Relevant links: Certificate Signature (RFC 5280), Certificate Time formatting (RFC 5280), Certificate Signature Algorithm (RFC 5280)
(No detailed documentation provided by the library.)
Original error message:
javax.net.ssl.SSLHandshakeException: Failed to parse server certificates (source)
(No detailed documentation provided by the library.)
Original error message:
java.security.cert.CertPathValidatorException: incorrect KeyUsage extension bits (source)
(No detailed documentation provided by the library.)
Original error message:
java.security.cert.CertPathValidatorException: signature check failed (source)
(No detailed documentation provided by the library.)
Original error message:
java.io.IOException: Maximum BaseDistance in name constraints not supported (source)
(No detailed documentation provided by the library.)
Original error message:
java.io.IOException: Non-zero minimum BaseDistance in name constraints not supported (source)
(No detailed documentation provided by the library.)
Original error message:
javax.net.ssl.SSLProtocolException: Unsupported handshake message (source)
Uncategorized errors
These errors are not yet categorized, deprecated or not used at all.
(No detailed documentation provided by the library.)
Original error message:
javax.net.ssl.SSLHandshakeException: PKIX path validation failed (source)
About the project
The project is developed at the Centre for Research on Cryptography and Security (CRoCS) at Masaryk University, Brno, Czech Republic by Martin Ukrop, Pavol Žáčik, Marián Svitek, Eric Valčík with the help of Michaela Balážová and Matěj Grabovský. For more details, see the ReadMe file in the project repository on GitHub.
The authors are grateful for the financial support by Red Hat Czech and Kiwi.com.