Uploaded image for project: 'WildFly OpenSSL'
  1. WildFly OpenSSL
  2. WFSSL-117

google.com certificate is incorrectly identified as RSA giving error "KeyUsage does not allow key encipherment"

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      Also posted on GitHub

       

      The following code (get google.com) fails:

              var context = SSLContext.getInstance("TLSv1.3", OpenSSLProvider.INSTANCE);
        context.init(null, null, null);
        var httpClient = HttpClient.newBuilder()
                .sslContext(context)
                .build();
        httpClient.send(HttpRequest.newBuilder(URI.create("https://www.google.com"))
                .GET()
                .build(), BodyHandlers.ofString());

       

      Error is thrown:

      Caused by: javax.net.ssl.SSLException: error:0A000086:SSL routines::certificate verify failed
        at org.wildfly.openssl.OpenSSLEngine.unwrap(OpenSSLEngine.java:626)
        at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)

       

      Trace log shows:

      sun.security.validator.ValidatorException: KeyUsage does not allow key encipherment
        at java.base/sun.security.validator.EndEntityChecker.checkTLSServer(EndEntityChecker.java:273)
        at java.base/sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:149)
        at java.base/sun.security.validator.Validator.validate(Validator.java:269)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:241)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:113)
        at org.wildfly.openssl.OpenSSLContextSPI.lambda$init$0(OpenSSLContextSPI.java:241)
        at org.wildfly.openssl.SSLImpl.readFromSSL0(Native Method)
        at org.wildfly.openssl.SSLImpl.readFromSSL(SSLImpl.java:153)
        at org.wildfly.openssl.OpenSSLEngine.unwrap(OpenSSLEngine.java:613)
        at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)

       

      Error seems to be in OpenSSLContextSPI which incorrectly determines google.com certificate to be RSA but it's in fact EC and EC certificates does not require key encipherment for TLS.

              Unassigned Unassigned
              cfredri4 Christian Fredriksson
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: