United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-5056088 : REGRESSION: Java Web Start can't start dowloaded application

Details
Type:
Bug
Submit Date:
2004-06-02
Status:
Closed
Updated Date:
2004-06-03
Project Name:
JDK
Resolved Date:
2004-06-03
Component:
deploy
OS:
windows_xp
Sub-Component:
webstart
CPU:
x86
Priority:
P3
Resolution:
Not an Issue
Affected Versions:
5.0
Fixed Versions:

Related Reports
Relates:

Sub Tasks

Description
Name: gm110360			Date: 06/01/2004


FULL PRODUCT VERSION :
JDK1.5.0-beta2-b51

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]

A DESCRIPTION OF THE PROBLEM :
Java Web Start in JDK1.5.0-beta2 is unable to start an application that works perfectly well in Java 1.4.2.

The application in question uses the all-permisions JNLP tag and as such is signed. It seems that something about the signitues on the Jars is causing WebStart to break.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) open a link for a signed JWS application that requiers all-permissions
2) wait for application to download
3) Web Start will say "starting application..."

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Application starts
ACTUAL -
watched it popup warning dialog saying "Failed to validate certificate. This application will not be run."

ERROR MESSAGES/STACK TRACES THAT OCCUR :
 "Failed to validate certificate. This application will not be run."

Exception was:
java.security.cert.CertificateException: Check leaf key usage failed in certificate
        at com.sun.deploy.security.CertUtils.checkUsageForCodeSigning (Unknown source)
        ...

there's no way to copy the exception from the exception dialog so i've had to type exception fragment in.

REPRODUCIBILITY :
This bug can be reproduced always.

Release Regression From : 1.4.2
The above release value was the last known release where this 
bug was known to work. Since then there has been a regression.

(Incident Review ID: 275416) 
======================================================================

                                    

Comments
EVALUATION

the exception is caused by the check in CertUtils.java, method checkLeafKeyUsageForCodeSigning, we do a check on 

  
		   if (extKeyUsageInfo.contains(OID_EKU_ANY_USAGE) == false && 
		       extKeyUsageInfo.contains(OID_EKU_CODE_SIGNING) == false)
		       {
			   Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.extkeyusageinfo");
			   return false;
		       }

It returned false here because the extKeyUsageInfo does not contains OID_EKU_ANY_USAGE and OID_EKU_CODE_SIGNING.  It only contains OID_EKU_SERVER_AUTH and OID_EKU_CLIENT_AUTH.  Therefore the exception is thrown.

We do not have such check in 1.4.2 java web start.


###@###.### 2004-06-02

the problem is the application jar is signed with a server certificate.  it should be signed with a coding signing certificate instead.


###@###.### 2004-06-02
                                     
2004-06-02



Hardware and Software, Engineered to Work Together