P3
FULL PRODUCT VERSION :
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
EXTRA RELEVANT SYSTEM CONFIGURATION :
The client should be joined to a wireless network with a captive portal enabled. The captive portal should allow the user to get to http://serverurl but not to http://ocsp.thawte.com
As the client loads the applet from serverurl, java will try to query ocsp at ocsp.thawte.com. The captive portal will respond with a 302, redirecting the client to a web login page. Unlike a 404 error code, which java handles gracefully, java will crash when trying to parse the non-ocsp response.
A DESCRIPTION OF THE PROBLEM :
The issue occurs when joined to a network that has a captive portal. As an applet loads, Java tries to call the OCSP URL (ocsp.thawte.com in our case) to verify the code signing certificate. The captive portal responds with a 302 Redirect, redirecting the client to a web login page. Java follows the redirect and receives the web login page's content. Then, it attempts to parse the html as an OCSP response and crashes. User is given a generic " Error occurred " message.
As the client loads the applet from serverurl, java will try to query ocsp at ocsp.thawte.com. The captive portal will respond with a 302, redirecting the client to a web login page. Unlike a 404 error code, which java handles gracefully, java will crash when trying to parse the non-ocsp response.
Java should handle the invalid OCSP response the same as a 404.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
The client should be joined to a wireless network with a captive portal enabled. The captive portal should allow the user to get to http://serverurl but not to http://ocsp.thawte.com
As the client loads the applet from serverurl, java will try to query ocsp at ocsp.thawte.com. The captive portal will respond with a 302, redirecting the client to a web login page. Unlike a 404 error code, which java handles gracefully, java will crash when trying to parse the non-ocsp response.
Alternate: For simpler testing, generate a code signing certificate with the ocsp URL set to http://www.google.com Sign the applet with this certificate. Make sure the certificate's CA is in the clients trust store. With this, Java will call http://www.google.com directly (without the need for a 302) and the OSCP parsing will crash while parsing the google html.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Java should handle the invalid OCSP response the same as a 404.
ACTUAL -
Java throws an exception and gives user a generic " Error occurred " message.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: java.io.IOException: extra data given to DerValue constructor
at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.getTrustedCodeSources(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Thread.java:724)
Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
... 34 more
Caused by: java.security.cert.CertPathValidatorException: java.io.IOException: extra data given to DerValue constructor
at sun.security.provider.certpath.OCSP.check(OCSP.java:288)
at sun.security.provider.certpath.OCSP.check(OCSP.java:189)
at sun.security.provider.certpath.OCSP.check(OCSP.java:154)
... 35 more
Caused by: java.io.IOException: extra data given to DerValue constructor
at sun.security.util.DerValue.init(DerValue.java:384)
at sun.security.util.DerValue.<init>(DerValue.java:294)
at sun.security.provider.certpath.OCSPResponse.<init>(OCSPResponse.java:194)
at sun.security.provider.certpath.OCSP.check(OCSP.java:285)
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Redesign the network to return a 404, but this is difficult given the massive IP space of the OCSP URLs.
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
EXTRA RELEVANT SYSTEM CONFIGURATION :
The client should be joined to a wireless network with a captive portal enabled. The captive portal should allow the user to get to http://serverurl but not to http://ocsp.thawte.com
As the client loads the applet from serverurl, java will try to query ocsp at ocsp.thawte.com. The captive portal will respond with a 302, redirecting the client to a web login page. Unlike a 404 error code, which java handles gracefully, java will crash when trying to parse the non-ocsp response.
A DESCRIPTION OF THE PROBLEM :
The issue occurs when joined to a network that has a captive portal. As an applet loads, Java tries to call the OCSP URL (ocsp.thawte.com in our case) to verify the code signing certificate. The captive portal responds with a 302 Redirect, redirecting the client to a web login page. Java follows the redirect and receives the web login page's content. Then, it attempts to parse the html as an OCSP response and crashes. User is given a generic " Error occurred " message.
As the client loads the applet from serverurl, java will try to query ocsp at ocsp.thawte.com. The captive portal will respond with a 302, redirecting the client to a web login page. Unlike a 404 error code, which java handles gracefully, java will crash when trying to parse the non-ocsp response.
Java should handle the invalid OCSP response the same as a 404.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
The client should be joined to a wireless network with a captive portal enabled. The captive portal should allow the user to get to http://serverurl but not to http://ocsp.thawte.com
As the client loads the applet from serverurl, java will try to query ocsp at ocsp.thawte.com. The captive portal will respond with a 302, redirecting the client to a web login page. Unlike a 404 error code, which java handles gracefully, java will crash when trying to parse the non-ocsp response.
Alternate: For simpler testing, generate a code signing certificate with the ocsp URL set to http://www.google.com Sign the applet with this certificate. Make sure the certificate's CA is in the clients trust store. With this, Java will call http://www.google.com directly (without the need for a 302) and the OSCP parsing will crash while parsing the google html.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Java should handle the invalid OCSP response the same as a 404.
ACTUAL -
Java throws an exception and gives user a generic " Error occurred " message.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: java.io.IOException: extra data given to DerValue constructor
at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.getTrustedCodeSources(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source)
at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Thread.java:724)
Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
... 34 more
Caused by: java.security.cert.CertPathValidatorException: java.io.IOException: extra data given to DerValue constructor
at sun.security.provider.certpath.OCSP.check(OCSP.java:288)
at sun.security.provider.certpath.OCSP.check(OCSP.java:189)
at sun.security.provider.certpath.OCSP.check(OCSP.java:154)
... 35 more
Caused by: java.io.IOException: extra data given to DerValue constructor
at sun.security.util.DerValue.init(DerValue.java:384)
at sun.security.util.DerValue.<init>(DerValue.java:294)
at sun.security.provider.certpath.OCSPResponse.<init>(OCSPResponse.java:194)
at sun.security.provider.certpath.OCSP.check(OCSP.java:285)
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Redesign the network to return a 404, but this is difficult given the massive IP space of the OCSP URLs.
- duplicates
-
JDK-8020390 LSP: LocalSecurityPolicy is initialized too soon
-
- Closed
-