-
Bug
-
Resolution: Duplicate
-
P3
-
None
-
8u77
FULL PRODUCT VERSION :
$ ./java -version
java version "1.8.0_77"
Java(TM) SE Runtime Environment (build 1.8.0_77-b03)
Java HotSpot(TM) 64-Bit Server VM (build 25.77-b03, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux casl-s01 3.13.0-83-generic #127-Ubuntu SMP Fri Mar 11 00:25:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
Attempting to launch a web app developed by Commvault Systems Inc, signed by Entrust Code Signing CA is failing to authenticate.
The full chain is presented in the certificate viewer. All levels are signed using SHA256withRSA algorithm.
CN="Commvault Systems, Inc.",
O="Commvault Systems, Inc.",
L=Oceanport,
ST=New Jersey,
C=US
SHA1 Fingerprint: C7:1F:E0:09:F6:4C:E8:8C:4D:1C:BA:06:70:B4:D0:1E:26:32:A0:DC
is signed by
CN=Entrust Code Signing CA - OVCS1,
OU="(c) 2015 Entrust, Inc. - for authorized use only",
OU=See www.entrust.net/legal-terms,
O="Entrust, Inc.",
C=US
SHA1 Fingerprint: 99:5B:8F:2E:A0:FB:7C:1A:C9:CB:2F:70:06:03:31:45:25:3E:97:72
which is signed by
CN=Entrust Root Certification Authority - G2,
OU="(c) 2009 Entrust, Inc. - for authorized use only",
OU=See www.entrust.net/legal-terms,
O="Entrust, Inc.",
C=US
SHA1 Fingerprint: 8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4
This cert is included in the java keystore,
$ keytool -list -keystore ./jre1.8.0_77/lib/security/cacerts | perl -ne '{print if (/entrust/../Certificate fingerprint/)}'
Enter keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
entrustevca, Apr 23, 2010, trustedCertEntry,
Certificate fingerprint (SHA1): B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:37:D4:4D:F5:D4:67:49:52:F9
entrustrootcag2, Jun 22, 2010, trustedCertEntry,
Certificate fingerprint (SHA1): 8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4
entrustrootcaec1, Mar 23, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): 20:D8:06:40:DF:9B:25:F5:12:25:3A:11:EA:F7:59:8A:EB:14:B5:47
entrust2048ca, Jun 22, 2010, trustedCertEntry,
Certificate fingerprint (SHA1): 50:30:06:09:1D:97:D4:F5:AE:39:F7:CB:E7:92:7D:7D:65:2D:34:31
REGRESSION. Last worked in version 8u73
ADDITIONAL REGRESSION INFORMATION:
WORKS:
$ ./java -version
java version "1.8.0_73"
Java(TM) SE Runtime Environment (build 1.8.0_73-b02)
Java HotSpot(TM) 64-Bit Server VM (build 25.73-b02, mixed mode)
BROKEN:
$ java -version
java version "1.8.0_74"
Java(TM) SE Runtime Environment (build 1.8.0_74-b02)
Java HotSpot(TM) 64-Bit Server VM (build 25.74-b02, mixed mode)
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
This certificate should be validated. It was validated with 1.8.0_73, but was broken in _72 and again in _74.
ACTUAL -
Failed to validate certificate.
The application will not be executed.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.cert.CertificateException: Could not verify signing in resource: https://pgh-commsrv-01.andrew.cmu.edu:443/console//Default.asp?jnlp=galaxyNative.jnlp
at com.sun.deploy.security.TrustDecider.ensureAllJarEntriesSigned(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGrantedInt(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.sun.deploy.net.JARSigningException: Could not verify signing in resource: https://pgh-commsrv-01.andrew.cmu.edu:443/console//Default.asp?jnlp=galaxyNative.jnlp
... 18 more
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
use 1.8.0_73
$ ./java -version
java version "1.8.0_77"
Java(TM) SE Runtime Environment (build 1.8.0_77-b03)
Java HotSpot(TM) 64-Bit Server VM (build 25.77-b03, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux casl-s01 3.13.0-83-generic #127-Ubuntu SMP Fri Mar 11 00:25:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
Attempting to launch a web app developed by Commvault Systems Inc, signed by Entrust Code Signing CA is failing to authenticate.
The full chain is presented in the certificate viewer. All levels are signed using SHA256withRSA algorithm.
CN="Commvault Systems, Inc.",
O="Commvault Systems, Inc.",
L=Oceanport,
ST=New Jersey,
C=US
SHA1 Fingerprint: C7:1F:E0:09:F6:4C:E8:8C:4D:1C:BA:06:70:B4:D0:1E:26:32:A0:DC
is signed by
CN=Entrust Code Signing CA - OVCS1,
OU="(c) 2015 Entrust, Inc. - for authorized use only",
OU=See www.entrust.net/legal-terms,
O="Entrust, Inc.",
C=US
SHA1 Fingerprint: 99:5B:8F:2E:A0:FB:7C:1A:C9:CB:2F:70:06:03:31:45:25:3E:97:72
which is signed by
CN=Entrust Root Certification Authority - G2,
OU="(c) 2009 Entrust, Inc. - for authorized use only",
OU=See www.entrust.net/legal-terms,
O="Entrust, Inc.",
C=US
SHA1 Fingerprint: 8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4
This cert is included in the java keystore,
$ keytool -list -keystore ./jre1.8.0_77/lib/security/cacerts | perl -ne '{print if (/entrust/../Certificate fingerprint/)}'
Enter keystore password:
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in your keystore *
* has NOT been verified! In order to verify its integrity, *
* you must provide your keystore password. *
***************** WARNING WARNING WARNING *****************
entrustevca, Apr 23, 2010, trustedCertEntry,
Certificate fingerprint (SHA1): B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:37:D4:4D:F5:D4:67:49:52:F9
entrustrootcag2, Jun 22, 2010, trustedCertEntry,
Certificate fingerprint (SHA1): 8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4
entrustrootcaec1, Mar 23, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): 20:D8:06:40:DF:9B:25:F5:12:25:3A:11:EA:F7:59:8A:EB:14:B5:47
entrust2048ca, Jun 22, 2010, trustedCertEntry,
Certificate fingerprint (SHA1): 50:30:06:09:1D:97:D4:F5:AE:39:F7:CB:E7:92:7D:7D:65:2D:34:31
REGRESSION. Last worked in version 8u73
ADDITIONAL REGRESSION INFORMATION:
WORKS:
$ ./java -version
java version "1.8.0_73"
Java(TM) SE Runtime Environment (build 1.8.0_73-b02)
Java HotSpot(TM) 64-Bit Server VM (build 25.73-b02, mixed mode)
BROKEN:
$ java -version
java version "1.8.0_74"
Java(TM) SE Runtime Environment (build 1.8.0_74-b02)
Java HotSpot(TM) 64-Bit Server VM (build 25.74-b02, mixed mode)
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
This certificate should be validated. It was validated with 1.8.0_73, but was broken in _72 and again in _74.
ACTUAL -
Failed to validate certificate.
The application will not be executed.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.cert.CertificateException: Could not verify signing in resource: https://pgh-commsrv-01.andrew.cmu.edu:443/console//Default.asp?jnlp=galaxyNative.jnlp
at com.sun.deploy.security.TrustDecider.ensureAllJarEntriesSigned(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGrantedInt(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.sun.deploy.net.JARSigningException: Could not verify signing in resource: https://pgh-commsrv-01.andrew.cmu.edu:443/console//Default.asp?jnlp=galaxyNative.jnlp
... 18 more
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
use 1.8.0_73