1

I've been looking into the PXIX path building failed issue while doing gradle build. Reinstall jdk does not work but the code runs on other PC(win/ubuntu) without any problem. I followed numerous posts to import certificats for the target host(like plugins.gradle.org) to my local java keystore, but still no luck.

When I turn on the debuging for java.net.ssl, I noticed the following difference: the certificate I imported with openssl/keytool have different signature algorithm with the cert I got during handshaking( see code at the bottom)! and that seems to be the problem.

My questions are : Is this the actual cause of my "PKIX path building failed" problem? And how can I solve this?

the key I have in my local keystore( the one i imported):

  "certificate" : {
    "version"            : "v3",
    "serial number"      : "0B 68 E1 1A 96 B8 F5 45 9E F6 BE 18 1E B3 64 B7",
    "signature algorithm": "SHA256withECDSA", <<-----------
    "issuer"             : "CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US",
    "not before"         : "2020-07-05 08:00:00.000 CST",
    "not  after"         : "2021-07-05 20:00:00.000 CST",
    "subject"            : "CN=gradle.org, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US",
    "subject public key" : "EC",
    "extensions"         : [
      {
        ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
      },
      {
        ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
        AuthorityInfoAccess [
          [
           accessMethod: ocsp
           accessLocation: URIName: http://ocsp.digicert.com
        , 
           accessMethod: caIssuers
           accessLocation: URIName: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt
        ]
        ]
      },
      {
        ObjectId: 2.5.29.35 Criticality=false
        AuthorityKeyIdentifier [
        KeyIdentifier [
        0000: A5 CE 37 EA EB B0 75 0E   94 67 88 B4 45 FA D9 24  ..7...u..g..E..$
        0010: 10 87 96 1F                                        ....
        ]
        ]
      },
      {
        ObjectId: 2.5.29.19 Criticality=true
        BasicConstraints:[
          CA:false
          PathLen: undefined
        ]
      },
      {
        ObjectId: 2.5.29.31 Criticality=false
        CRLDistributionPoints [
          [DistributionPoint:
             [URIName: http://crl3.digicert.com/CloudflareIncECCCA-3.crl]
        , DistributionPoint:
             [URIName: http://crl4.digicert.com/CloudflareIncECCCA-3.crl]
        ]]
      },
      {
        ObjectId: 2.5.29.32 Criticality=false
        CertificatePolicies [
          [CertificatePolicyId: [2.16.840.1.114412.1.1]
        [PolicyQualifierInfo: [
          qualifierID: 1.3.6.1.5.5.7.2.1
          qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
        0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS
        
        ]]  ]
          [CertificatePolicyId: [2.23.140.1.2.2]
        []  ]
        ]
      },
      {
        ObjectId: 2.5.29.37 Criticality=false
        ExtendedKeyUsages [
          serverAuth
          clientAuth
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=true
        KeyUsage [
          DigitalSignature
        ]
      },
      {
        ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          DNSName: gradle.org
          DNSName: *.gradle.org
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: 44 80 3A FA 00 84 38 D1   BD 20 F2 AB 55 7D FD 0C  D.:...8.. ..U...
        0010: BB 2B F8 50                                        .+.P
        ]
        ]
      }
    ]},

but the certificate I got from server during handshaking:

javax.net.ssl|DEBUG|01|main|2020-08-09 02:12:11.364 CST|CertificateMessage.java:358|Consuming server Certificate handshake message (
"Certificates": [
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "00 FA 96 8B 4E 71 C3 D7 DF 61 53 3D 49 07 83 1F 5E",
    "signature algorithm": "SHA256withRSA",<<-----------
    "issuer"             : "CN=GlobalSign Root CA, C=EN",
    "not before"         : "2020-07-05 08:00:00.000 CST",
    "not  after"         : "2021-07-05 20:00:00.000 CST",
    "subject"            : "CN=gradle.org, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.19 Criticality=true
        BasicConstraints:[
          CA:false
          PathLen: undefined
        ]
      },
      {
        ObjectId: 2.5.29.37 Criticality=false
        ExtendedKeyUsages [
          serverAuth
          clientAuth
        ]
      },
      {
        ObjectId: 2.5.29.17 Criticality=false
        SubjectAlternativeName [
          DNSName: gradle.org
          DNSName: *.gradle.org
        ]
      }
    ]}
]
)
Yeling
  • 21
  • 1
  • 6
  • Somehow it has escaped your attention that these are different certificates. The serial number alone tells you that, also the issuer. You should have imported the second one, not the first one, but as it's a CA root certificate I don't know why you had to import it at all. Also, this isn't the only certificate you received in the handshake: you received an entire chain, of which this is the root. Unclear why you're doing any of this. Duplicate. – user207421 Aug 09 '20 at 01:04
  • @MarquisofLorne: neither of the certs shown is a root. The first one matches the server cert I get from plugins.gradle.org (if CST is UTC+8). The second one **looks like a bad fake**: while GlobalSign is a long-established CA, it certainly does not sign server certs directly under a root, _does_ include required CRLDP AIA Policies, and none of its transparency-logged certs has that DN: they _all_ have C=BE not EN which isn't even in 3166, and O and OU values which are not present here. Yeling: how are you connecting to the Internet, and could there be a fraudster intercepting it? – dave_thompson_085 Aug 09 '20 at 05:48
  • @dave_thompson_085 , I do have Shadowsocks setup on this WIN10 PC, but I'm sure I did not configure gradle to use proxy. One strange thing I found is as Marquis mentioned, the server should send a chain of certificates during handshaking, but during my testing, I found that only the above certificate issued by "GlobalSign Root CA, C=EN" is received during handshaking, then the error is thrown for could not build PKIX path. – Yeling Aug 09 '20 at 15:48
  • I've pushed the problem gradle project to github, check it out here: https://github.com/shiyeling/lenskit-hello and I ran the building with below command: ./gradlew -Djavax.net.debug=all run > run-no-proxy.log 2>&1 – Yeling Aug 09 '20 at 16:59
  • Try `openssl s_client -connect $host:$port` (below 1.1.0 add `-servername $host` if needed) and/or `keytool -printcert -sslserver $host[:$port]` and see what certs/chains those get. Try wireshark or similar capture while running gradle and see _exactly_ what it connects to and what certs it gets. Try connecting from another location or ISP if possible. – dave_thompson_085 Aug 11 '20 at 03:38
  • I've added keytool and openssl output for services.gradle.org:443 and also the traffic captured by wireshark. [keytool1.out](https://github.com/shiyeling/lenskit-hello/blob/master/keytool1.out) looks normal but when I run it again after several seconds, I got problematic result [keytool2.out](https://github.com/shiyeling/lenskit-hello/blob/master/keytool2.out). you can get the traffic for them with IP address`104.18.191.9` in traffic file: [traffic-with-service.gradle.org_2.pcapng](https://github.com/shiyeling/lenskit-hello/blob/master/traffic-with-service.gradle.org_2.pcapng) – Yeling Aug 11 '20 at 16:49
  • Wireshark shows some colored mark for message captured. but I'm not sure how to read them. Sad! – Yeling Aug 11 '20 at 16:51
  • Reinstall windows resolved this issue! – Yeling Aug 17 '20 at 02:31

0 Answers0