-
Bug
-
Resolution: Fixed
-
P5
-
7u9
-
b134
-
generic
-
Not verified
FULL PRODUCT VERSION :
java version " 1.7.0_09 "
Java(TM) SE Runtime Environment (build 1.7.0_09-b05)
Java HotSpot(TM) Client VM (build 23.5-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]
A DESCRIPTION OF THE PROBLEM :
The example is incorrect in the jre\lib\security\java.security file for:
ocsp.responderCertSubjectName= " CN=OCSP Responder, O=XYZ Corp "
Using that value leads to the following exception:
Caused by: java.lang.IllegalArgumentException: improperly specified input name: " CN=OCSP Responder, O=XYZ Corp "
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:169)
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:121)
at sun.security.provider.certpath.OCSPChecker.check(OCSPChecker.java:170)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
... 3 more
Caused by: java.io.IOException: Invalid keyword " " CN "
at sun.security.x509.AVAKeyword.getOID(AVA.java:1283)
at sun.security.x509.AVA.<init>(AVA.java:192)
at sun.security.x509.AVA.<init>(AVA.java:145)
at sun.security.x509.RDN.<init>(RDN.java:151)
at sun.security.x509.X500Name.parseDN(X500Name.java:935)
at sun.security.x509.X500Name.<init>(X500Name.java:165)
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:167)
... 13 more
The value for this property does not need to be contained in quotes, as all commas and spaces are preserved in the value string using the rules of Properties (see http://docs.oracle.com/javase/7/docs/api/java/util/Properties.html ). When the quotes are removed, no exception is thrown and the value of Security.getProperty( " ocsp.responderCertSubjectName " ) is returned correctly as:
CN=OCSP Responder, O=XYZ Corp
Note the same should apply to the value of ocsp.responderCertIssuerName, for which the example would also be incorrect.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Uncomment the following line in jre\lib\security\java.security:
ocsp.responderCertSubjectName= " CN=OCSP Responder, O=XYZ Corp "
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
OCSP validation would be performed
ACTUAL -
Caused by: java.lang.IllegalArgumentException: improperly specified input name: " CN=OCSP Responder, O=XYZ Corp "
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:169)
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:121)
at sun.security.provider.certpath.OCSPChecker.check(OCSPChecker.java:170)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
... 3 more
Caused by: java.io.IOException: Invalid keyword " " CN "
at sun.security.x509.AVAKeyword.getOID(AVA.java:1283)
at sun.security.x509.AVA.<init>(AVA.java:192)
at sun.security.x509.AVA.<init>(AVA.java:145)
at sun.security.x509.RDN.<init>(RDN.java:151)
at sun.security.x509.X500Name.parseDN(X500Name.java:935)
at sun.security.x509.X500Name.<init>(X500Name.java:165)
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:167)
... 13 more
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Caused by: java.lang.IllegalArgumentException: improperly specified input name: " CN=OCSP Responder, O=XYZ Corp "
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:169)
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:121)
at sun.security.provider.certpath.OCSPChecker.check(OCSPChecker.java:170)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
... 3 more
Caused by: java.io.IOException: Invalid keyword " " CN "
at sun.security.x509.AVAKeyword.getOID(AVA.java:1283)
at sun.security.x509.AVA.<init>(AVA.java:192)
at sun.security.x509.AVA.<init>(AVA.java:145)
at sun.security.x509.RDN.<init>(RDN.java:151)
at sun.security.x509.X500Name.parseDN(X500Name.java:935)
at sun.security.x509.X500Name.<init>(X500Name.java:165)
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:167)
... 13 more
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Remove the quotes from the examples in the java.security file
java version " 1.7.0_09 "
Java(TM) SE Runtime Environment (build 1.7.0_09-b05)
Java HotSpot(TM) Client VM (build 23.5-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]
A DESCRIPTION OF THE PROBLEM :
The example is incorrect in the jre\lib\security\java.security file for:
ocsp.responderCertSubjectName= " CN=OCSP Responder, O=XYZ Corp "
Using that value leads to the following exception:
Caused by: java.lang.IllegalArgumentException: improperly specified input name: " CN=OCSP Responder, O=XYZ Corp "
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:169)
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:121)
at sun.security.provider.certpath.OCSPChecker.check(OCSPChecker.java:170)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
... 3 more
Caused by: java.io.IOException: Invalid keyword " " CN "
at sun.security.x509.AVAKeyword.getOID(AVA.java:1283)
at sun.security.x509.AVA.<init>(AVA.java:192)
at sun.security.x509.AVA.<init>(AVA.java:145)
at sun.security.x509.RDN.<init>(RDN.java:151)
at sun.security.x509.X500Name.parseDN(X500Name.java:935)
at sun.security.x509.X500Name.<init>(X500Name.java:165)
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:167)
... 13 more
The value for this property does not need to be contained in quotes, as all commas and spaces are preserved in the value string using the rules of Properties (see http://docs.oracle.com/javase/7/docs/api/java/util/Properties.html ). When the quotes are removed, no exception is thrown and the value of Security.getProperty( " ocsp.responderCertSubjectName " ) is returned correctly as:
CN=OCSP Responder, O=XYZ Corp
Note the same should apply to the value of ocsp.responderCertIssuerName, for which the example would also be incorrect.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Uncomment the following line in jre\lib\security\java.security:
ocsp.responderCertSubjectName= " CN=OCSP Responder, O=XYZ Corp "
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
OCSP validation would be performed
ACTUAL -
Caused by: java.lang.IllegalArgumentException: improperly specified input name: " CN=OCSP Responder, O=XYZ Corp "
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:169)
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:121)
at sun.security.provider.certpath.OCSPChecker.check(OCSPChecker.java:170)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
... 3 more
Caused by: java.io.IOException: Invalid keyword " " CN "
at sun.security.x509.AVAKeyword.getOID(AVA.java:1283)
at sun.security.x509.AVA.<init>(AVA.java:192)
at sun.security.x509.AVA.<init>(AVA.java:145)
at sun.security.x509.RDN.<init>(RDN.java:151)
at sun.security.x509.X500Name.parseDN(X500Name.java:935)
at sun.security.x509.X500Name.<init>(X500Name.java:165)
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:167)
... 13 more
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Caused by: java.lang.IllegalArgumentException: improperly specified input name: " CN=OCSP Responder, O=XYZ Corp "
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:169)
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:121)
at sun.security.provider.certpath.OCSPChecker.check(OCSPChecker.java:170)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
... 3 more
Caused by: java.io.IOException: Invalid keyword " " CN "
at sun.security.x509.AVAKeyword.getOID(AVA.java:1283)
at sun.security.x509.AVA.<init>(AVA.java:192)
at sun.security.x509.AVA.<init>(AVA.java:145)
at sun.security.x509.RDN.<init>(RDN.java:151)
at sun.security.x509.X500Name.parseDN(X500Name.java:935)
at sun.security.x509.X500Name.<init>(X500Name.java:165)
at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:167)
... 13 more
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Remove the quotes from the examples in the java.security file