Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8000280

Impossible to run any signed JNLP applications or applets, OCSP off by default

    XMLWordPrintable

Details

    • b12
    • Verified

    Description

      FULL PRODUCT VERSION :
      Java 1.7 update 7

      ADDITIONAL OS VERSION INFORMATION :
      Windows 7 64 bits

      A DESCRIPTION OF THE PROBLEM :
      OSCP was enabled by default until Java 1.6. Now, it is disabled by default. When I try to run a signed applet or a signed application, it simply fails.

      REGRESSION. Last worked in version 6u31

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Go to http://jogamp.org/deployment/jogamp-current/jogl-demos/jogl-newt-applet-runner-gears.html

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      The famous Gears demo works.
      ACTUAL -
      You can see the actual result here: http://forum.jogamp.org/file/n4026082/jogamp-cert-key-7.png

      Someone else has a similar problem with SKT editor here: http://www.java.net/forum/topic/jdk/java-se-snapshots-project-feedback/os-x-jdk-7u6-will-not-run-signed-jnlp-apps



      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
      at com.sun.deploy.security.TrustDecider.doCheckRevocationStatus(Unknown Source)
      at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
      at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
      at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
      at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
      at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
      at com.sun.javaws.Launcher.prepareResources(Unknown Source)
      at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
      at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
      at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
      at com.sun.javaws.Launcher.launch(Unknown Source)
      at com.sun.javaws.Main.launchApp(Unknown Source)
      at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
      at com.sun.javaws.Main.access$000(Unknown Source)
      at com.sun.javaws.Main$1.run(Unknown Source)
      at java.lang.Thread.run(Thread.java:722)
      Caused by: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
      at sun.security.provider.certpath.OCSPResponse.verifyResponse(OCSPResponse.java:541)
      at sun.security.provider.certpath.OCSPResponse.(OCSPResponse.java:494)
      at sun.security.provider.certpath.OCSP.check(OCSP.java:261)
      at sun.security.provider.certpath.OCSP.check(OCSP.java:165)
      at sun.security.provider.certpath.OCSP.check(OCSP.java:130)
      at com.sun.deploy.security.TrustDecider.doOCSPEEValidation(Unknown Source)
      ... 16 more
      Caused by: java.security.InvalidKeyException: Wrong key usage
      at java.security.Signature.initVerify(Signature.java:490)
      at sun.security.provider.certpath.OCSPResponse.verifyResponse(OCSPResponse.java:524)
      ... 21 more

      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      https://github.com/sgothel/jogl-demos/blob/master/src/demos/gears/Gears.java
      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      Open the Java Control Panel and go to System Preferences > Other > Java > Advanced > "Enable online certificate validation" (the end users should not have to do this by default, it is really annoying).

      Attachments

        Issue Links

          Activity

            People

              vinnie Vincent Ryan
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: