-
Bug
-
Resolution: Not an Issue
-
P3
-
None
-
6u18
-
x86
-
windows_xp
FULL PRODUCT VERSION :
1.6.0_18-b07
ADDITIONAL OS VERSION INFORMATION :
all Windows with user accounts
A DESCRIPTION OF THE PROBLEM :
sun.security.provider.certpath.OCSPResponse.class has a problem validating signed jars: It gives wrong information on the certificate's authorization. I belive the reason this occures is the changes made in the class in the last update 1.6.0_18.
I will explain further with code:
355 } else if (cert.getIssuerX500Principal().equals(
356 responderCert.getSubjectX500Principal())) {
357
358 // Check for the OCSPSigning key purpose
359 try {
360 List<String> keyPurposes = cert.getExtendedKeyUsage();
361 if (keyPurposes == null ||
362 !keyPurposes.contains(KP_OCSP_SIGNING_OID)) {
363 throw new CertPathValidatorException(
364 "Responder's certificate not valid for signing " +
365 "OCSP responses");
366 }
367 } catch (CertificateParsingException cpe) {
368 // assume cert is not valid for signing
369 throw new CertPathValidatorException(
370 "Responder's certificate not valid for signing " +
371 "OCSP responses", cpe);
372 }
373
374 // check the validity
375 try {
376 if (dateCheckedAgainst == null) {
377 cert.checkValidity();
378 } else {
379 cert.checkValidity(dateCheckedAgainst);
380 }
381 } catch (GeneralSecurityException e) {
382 throw new CertPathValidatorException(
383 "Responder's certificate not within the " +
384 "validity period", e);
385 }
386
387 // check for revocation
388 //
389 // A CA may specify that an OCSP client can trust a
390 // responder for the lifetime of the responder's
391 // certificate. The CA does so by including the
392 // extension id-pkix-ocsp-nocheck.
393 //
394 Extension noCheck =
395 cert.getExtension(PKIXExtensions.OCSPNoCheck_Id);
396 if (noCheck != null) {
397 if (DEBUG != null) {
398 DEBUG.println("Responder's certificate includes " +
399 "the extension id-pkix-ocsp-nocheck.");
400 }
401 } else {
402 // we should do the revocation checking of the
403 // authorized responder in a future update.
404 }
405
406 // verify the signature
407 try {
408 cert.verify(responderCert.getPublicKey());
409 responderCert = cert;
410 // cert is trusted, now verify the signed response
411
412 } catch (GeneralSecurityException e) {
413 responderCert = null;
414 }
415 } else {
416 throw new CertPathValidatorException(
417 "Responder's certificate is not authorized to sign " +
418 "OCSP responses");
419 }
420 }
The last "else" is incorrect because if your certficate is not selfsigned and is not issued by the responder certificate, or u havent trusted it (not an admin or manually added in the store) you end up here(in the else case), which is wrong!
I belive that the bug with ID: 6798714 has something to do with it.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Sign an applet with certificate not issued by the responder's certificate and not selfsigned.
2. Run the applet by non admin user on Windows.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The user is promped if he trusts the issuer
ACTUAL -
You get a "Responder's certificate is not authorized to sign OCSP responses" exception.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Responder's certificate is not authorized to sign OCSP responses
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.getPermissions(Unknown Source)
at java.security.SecureClassLoader.getProtectionDomain(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.defineClass(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.defineClassHelper(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.access$300(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.Class.getDeclaredConstructors0(Native Method)
at java.lang.Class.privateGetDeclaredConstructors(Unknown Source)
at java.lang.Class.getConstructor0(Unknown Source)
at java.lang.Class.newInstance0(Unknown Source)
at java.lang.Class.newInstance(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$12.run(Unknown Source)
at java.awt.event.InvocationEvent.dispatch(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: java.security.cert.CertPathValidatorException: Responder's certificate is not authorized to sign OCSP responses
at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at com.sun.deploy.security.TrustDecider.doOCSPEEValidation(Unknown Source)
... 32 more
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
To use selfsigned certificates or to run in admin mode or the signer's certificate is in java local store
Release Regression From : 6u17
The above release value was the last known release where this
bug was not reproducible. Since then there has been a regression.
1.6.0_18-b07
ADDITIONAL OS VERSION INFORMATION :
all Windows with user accounts
A DESCRIPTION OF THE PROBLEM :
sun.security.provider.certpath.OCSPResponse.class has a problem validating signed jars: It gives wrong information on the certificate's authorization. I belive the reason this occures is the changes made in the class in the last update 1.6.0_18.
I will explain further with code:
355 } else if (cert.getIssuerX500Principal().equals(
356 responderCert.getSubjectX500Principal())) {
357
358 // Check for the OCSPSigning key purpose
359 try {
360 List<String> keyPurposes = cert.getExtendedKeyUsage();
361 if (keyPurposes == null ||
362 !keyPurposes.contains(KP_OCSP_SIGNING_OID)) {
363 throw new CertPathValidatorException(
364 "Responder's certificate not valid for signing " +
365 "OCSP responses");
366 }
367 } catch (CertificateParsingException cpe) {
368 // assume cert is not valid for signing
369 throw new CertPathValidatorException(
370 "Responder's certificate not valid for signing " +
371 "OCSP responses", cpe);
372 }
373
374 // check the validity
375 try {
376 if (dateCheckedAgainst == null) {
377 cert.checkValidity();
378 } else {
379 cert.checkValidity(dateCheckedAgainst);
380 }
381 } catch (GeneralSecurityException e) {
382 throw new CertPathValidatorException(
383 "Responder's certificate not within the " +
384 "validity period", e);
385 }
386
387 // check for revocation
388 //
389 // A CA may specify that an OCSP client can trust a
390 // responder for the lifetime of the responder's
391 // certificate. The CA does so by including the
392 // extension id-pkix-ocsp-nocheck.
393 //
394 Extension noCheck =
395 cert.getExtension(PKIXExtensions.OCSPNoCheck_Id);
396 if (noCheck != null) {
397 if (DEBUG != null) {
398 DEBUG.println("Responder's certificate includes " +
399 "the extension id-pkix-ocsp-nocheck.");
400 }
401 } else {
402 // we should do the revocation checking of the
403 // authorized responder in a future update.
404 }
405
406 // verify the signature
407 try {
408 cert.verify(responderCert.getPublicKey());
409 responderCert = cert;
410 // cert is trusted, now verify the signed response
411
412 } catch (GeneralSecurityException e) {
413 responderCert = null;
414 }
415 } else {
416 throw new CertPathValidatorException(
417 "Responder's certificate is not authorized to sign " +
418 "OCSP responses");
419 }
420 }
The last "else" is incorrect because if your certficate is not selfsigned and is not issued by the responder certificate, or u havent trusted it (not an admin or manually added in the store) you end up here(in the else case), which is wrong!
I belive that the bug with ID: 6798714 has something to do with it.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Sign an applet with certificate not issued by the responder's certificate and not selfsigned.
2. Run the applet by non admin user on Windows.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The user is promped if he trusts the issuer
ACTUAL -
You get a "Responder's certificate is not authorized to sign OCSP responses" exception.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Responder's certificate is not authorized to sign OCSP responses
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.getPermissions(Unknown Source)
at java.security.SecureClassLoader.getProtectionDomain(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.defineClass(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.defineClassHelper(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.access$300(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.Class.getDeclaredConstructors0(Native Method)
at java.lang.Class.privateGetDeclaredConstructors(Unknown Source)
at java.lang.Class.getConstructor0(Unknown Source)
at java.lang.Class.newInstance0(Unknown Source)
at java.lang.Class.newInstance(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$12.run(Unknown Source)
at java.awt.event.InvocationEvent.dispatch(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: java.security.cert.CertPathValidatorException: Responder's certificate is not authorized to sign OCSP responses
at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at com.sun.deploy.security.TrustDecider.doOCSPEEValidation(Unknown Source)
... 32 more
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
To use selfsigned certificates or to run in admin mode or the signer's certificate is in java local store
Release Regression From : 6u17
The above release value was the last known release where this
bug was not reproducible. Since then there has been a regression.