Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8046538

bad management of multiple CRL distribution point

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Fix
    • Icon: P4 P4
    • None
    • 7u55
    • tools

      FULL PRODUCT VERSION :
      java version "1.7.0_55"
      Java(TM) SE Runtime Environment (build 1.7.0_55-b13)
      Java HotSpot(TM) 64-Bit Server VM (build 24.55-b03, mixed mode)

      Java8 is also installed (but disabled):
      java version "1.8.0_05"
      Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
      Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)



      ADDITIONAL OS VERSION INFORMATION :
      Linux serge-linux 3.11-0.bpo.2-amd64 #1 SMP Debian 3.11.10-1~bpo70+1 (2013-12-17) x86_64 GNU/Linux

      EXTRA RELEVANT SYSTEM CONFIGURATION :
      jre/lib/security/cacerts has been modified in order to add some root CAs

      A DESCRIPTION OF THE PROBLEM :
      In case of multiple CRL distribution points, if the first one requested over the network is invalid (http code 200 but file is not crl valid), then a warning message is displayed about revoсation check. Later, the crl is visible in the cache (temp files).

      I prepared a web page with sample:
      http://sp31415.uhostfull.com/bug_submission_oracle/index.html

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      I have made two root CA and certificate chain with only one difference:
      URI host order is different.
      I signed two applets.
      Only one is displaying a warning message related to revokation.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      I maybe be wrong about how multiple CRL distributiion points should be managed, but I expect no message or the same message for the 2 applets
      ACTUAL -
      I see a message (french): La signature numérique de cette application a été générée avec un certificat provenant d'une autorité de certification sécurisée, mais il est impossible de garantir qu'il n'a pas été revoqué par cette autorité.

      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      nothing

      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      there is no specific java source code.
      Eventually, code related to cetificate generation... but look out of the subject.

      can be tested with that page:
      http://sp31415.uhostfull.com/bug_submission_oracle/index.html
      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      have only valid CRL distribution points. but something valid one may not be valid in future...

            aivanov Alexey Ivanov
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: