Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8024714

In java.security file, ocsp.responderCertSubjectName should not contain quotes

XMLWordPrintable

    • b134
    • generic
    • Not verified

      FULL PRODUCT VERSION :
      java version " 1.7.0_09 "
      Java(TM) SE Runtime Environment (build 1.7.0_09-b05)
      Java HotSpot(TM) Client VM (build 23.5-b02, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      Microsoft Windows XP [Version 5.1.2600]

      A DESCRIPTION OF THE PROBLEM :
      The example is incorrect in the jre\lib\security\java.security file for:

      ocsp.responderCertSubjectName= " CN=OCSP Responder, O=XYZ Corp "

      Using that value leads to the following exception:

      Caused by: java.lang.IllegalArgumentException: improperly specified input name: " CN=OCSP Responder, O=XYZ Corp "
              at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:169)
              at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:121)
              at sun.security.provider.certpath.OCSPChecker.check(OCSPChecker.java:170)
              at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)
              at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
              at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
              at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
              ... 3 more
      Caused by: java.io.IOException: Invalid keyword " " CN "
              at sun.security.x509.AVAKeyword.getOID(AVA.java:1283)
              at sun.security.x509.AVA.<init>(AVA.java:192)
              at sun.security.x509.AVA.<init>(AVA.java:145)
              at sun.security.x509.RDN.<init>(RDN.java:151)
              at sun.security.x509.X500Name.parseDN(X500Name.java:935)
              at sun.security.x509.X500Name.<init>(X500Name.java:165)
              at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:167)
              ... 13 more

      The value for this property does not need to be contained in quotes, as all commas and spaces are preserved in the value string using the rules of Properties (see http://docs.oracle.com/javase/7/docs/api/java/util/Properties.html ). When the quotes are removed, no exception is thrown and the value of Security.getProperty( " ocsp.responderCertSubjectName " ) is returned correctly as:

      CN=OCSP Responder, O=XYZ Corp

      Note the same should apply to the value of ocsp.responderCertIssuerName, for which the example would also be incorrect.


      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Uncomment the following line in jre\lib\security\java.security:

      ocsp.responderCertSubjectName= " CN=OCSP Responder, O=XYZ Corp "



      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      OCSP validation would be performed
      ACTUAL -
      Caused by: java.lang.IllegalArgumentException: improperly specified input name: " CN=OCSP Responder, O=XYZ Corp "
              at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:169)
              at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:121)
              at sun.security.provider.certpath.OCSPChecker.check(OCSPChecker.java:170)
              at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)
              at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
              at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
              at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
              ... 3 more
      Caused by: java.io.IOException: Invalid keyword " " CN "
              at sun.security.x509.AVAKeyword.getOID(AVA.java:1283)
              at sun.security.x509.AVA.<init>(AVA.java:192)
              at sun.security.x509.AVA.<init>(AVA.java:145)
              at sun.security.x509.RDN.<init>(RDN.java:151)
              at sun.security.x509.X500Name.parseDN(X500Name.java:935)
              at sun.security.x509.X500Name.<init>(X500Name.java:165)
              at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:167)
              ... 13 more

      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      Caused by: java.lang.IllegalArgumentException: improperly specified input name: " CN=OCSP Responder, O=XYZ Corp "
              at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:169)
              at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:121)
              at sun.security.provider.certpath.OCSPChecker.check(OCSPChecker.java:170)
              at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)
              at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
              at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
              at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
              ... 3 more
      Caused by: java.io.IOException: Invalid keyword " " CN "
              at sun.security.x509.AVAKeyword.getOID(AVA.java:1283)
              at sun.security.x509.AVA.<init>(AVA.java:192)
              at sun.security.x509.AVA.<init>(AVA.java:145)
              at sun.security.x509.RDN.<init>(RDN.java:151)
              at sun.security.x509.X500Name.parseDN(X500Name.java:935)
              at sun.security.x509.X500Name.<init>(X500Name.java:165)
              at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:167)
              ... 13 more

      REPRODUCIBILITY :
      This bug can be reproduced always.

      CUSTOMER SUBMITTED WORKAROUND :
      Remove the quotes from the examples in the java.security file

            mullan Sean Mullan
            coffeys Sean Coffey
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: