P5
A DESCRIPTION OF THE REQUEST :
If Java Web Start encounters a signed resource, and the resource is signed with a valid certificate but that certificate does not permit code signing (ExtendedKeyUsage does not include code signing), the following error and stack trace result:
"Failed to validate certificate. The application will not be executed."
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Check netscape bits 5,6,7 value failed in certificate
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:251)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:234)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:148)
at sun.security.validator.Validator.validate(Validator.java:218)
at sun.security.validator.Validator.validate(Validator.java:187)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(TrustDecider.java:521)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(AppPolicy.java:264)
at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(LaunchDownload.java:1460)
at com.sun.javaws.LaunchDownload.checkSignedResources(LaunchDownload.java:1170)
at com.sun.javaws.Launcher.prepareLaunchFile(Launcher.java:1020)
at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:306)
at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:183)
at com.sun.javaws.Launcher.launch(Launcher.java:104)
at com.sun.javaws.Main.launchApp(Main.java:403)
at com.sun.javaws.Main.continueInSecureThread(Main.java:250)
at com.sun.javaws.Main$1.run(Main.java:111)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.security.cert.CertPathValidatorException: Check netscape bits 5,6,7 value failed in certificate
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:326)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:246)
... 16 more
This test was conducted using JNLP locally with file:/ resources.
This RFE is a request for a somewhat clearer error message than "Check netscape bits 5,6,7 value failed in certificate", perhaps something like "The application is signed with a certificate which does not permit code signing in its ExtendedKeyUsage".
JUSTIFICATION :
A clearer error message would allow developers or clients of the signed resource to quickly identify the problem with the resource signing and locate the correct certificate.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
A new/improved error message or stack trace including something like:
"The application is signed with a certificate which does not permit code signing in its ExtendedKeyUsage".
ACTUAL -
The stack trace above is thrown which includes only the message:
java.security.cert.CertPathValidatorException: Check netscape bits 5,6,7 value failed in certificate
CUSTOMER SUBMITTED WORKAROUND :
If you see this error message you have selected the incorrect certificate to sign the code. Make sure you select a certificate which permits code-signing.
If Java Web Start encounters a signed resource, and the resource is signed with a valid certificate but that certificate does not permit code signing (ExtendedKeyUsage does not include code signing), the following error and stack trace result:
"Failed to validate certificate. The application will not be executed."
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Check netscape bits 5,6,7 value failed in certificate
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:251)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:234)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:148)
at sun.security.validator.Validator.validate(Validator.java:218)
at sun.security.validator.Validator.validate(Validator.java:187)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(TrustDecider.java:521)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(AppPolicy.java:264)
at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(LaunchDownload.java:1460)
at com.sun.javaws.LaunchDownload.checkSignedResources(LaunchDownload.java:1170)
at com.sun.javaws.Launcher.prepareLaunchFile(Launcher.java:1020)
at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:306)
at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:183)
at com.sun.javaws.Launcher.launch(Launcher.java:104)
at com.sun.javaws.Main.launchApp(Main.java:403)
at com.sun.javaws.Main.continueInSecureThread(Main.java:250)
at com.sun.javaws.Main$1.run(Main.java:111)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.security.cert.CertPathValidatorException: Check netscape bits 5,6,7 value failed in certificate
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:326)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:246)
... 16 more
This test was conducted using JNLP locally with file:/ resources.
This RFE is a request for a somewhat clearer error message than "Check netscape bits 5,6,7 value failed in certificate", perhaps something like "The application is signed with a certificate which does not permit code signing in its ExtendedKeyUsage".
JUSTIFICATION :
A clearer error message would allow developers or clients of the signed resource to quickly identify the problem with the resource signing and locate the correct certificate.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
A new/improved error message or stack trace including something like:
"The application is signed with a certificate which does not permit code signing in its ExtendedKeyUsage".
ACTUAL -
The stack trace above is thrown which includes only the message:
java.security.cert.CertPathValidatorException: Check netscape bits 5,6,7 value failed in certificate
CUSTOMER SUBMITTED WORKAROUND :
If you see this error message you have selected the incorrect certificate to sign the code. Make sure you select a certificate which permits code-signing.