United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6939248 Jarsigner can't extract Extended Key Usage from Timestamp Reply currectly
JDK-6939248 : Jarsigner can't extract Extended Key Usage from Timestamp Reply currectly

Details
Type:
Bug
Submit Date:
2010-03-30
Status:
Resolved
Updated Date:
2011-02-16
Project Name:
JDK
Resolved Date:
2010-04-22
Component:
security-libs
OS:
windows_xp
Sub-Component:
java.security
CPU:
x86
Priority:
P4
Resolution:
Fixed
Affected Versions:
6u18
Fixed Versions:
6u21 (b03)

Related Reports
Backport:

Sub Tasks

Description
FULL PRODUCT VERSION :
java version "1.6.0_18"
Java(TM) SE Runtime Environment (build 1.6.0_18-b07)
Java HotSpot(TM) Client VM (build 16.0-b13, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Windows XP SP3

A DESCRIPTION OF THE PROBLEM :
When timestamping a request jarsigner crashes with a null pointer exception:

jarsigner error: java.lang.NullPointerException
java.lang.NullPointerException
        at sun.security.tools.TimestampedSigner.generateTimestampToken(Timestamp
edSigner.java:346)
        at sun.security.tools.TimestampedSigner.generateSignedData(TimestampedSi
gner.java:211)
        at sun.security.tools.SignatureFile$Block.<init>(JarSigner.java:1979)
        at sun.security.tools.SignatureFile.generateBlock(JarSigner.java:1876)
        at sun.security.tools.JarSigner.signJar(JarSigner.java:1024)
        at sun.security.tools.JarSigner.run(JarSigner.java:203)
        at sun.security.tools.JarSigner.main(JarSigner.java:74)

The reason seems to be that line 376/377 extracts the keyPurposes.
keyPurposes = cert.getExtendedKeyUsage();

The keyPurposes variable is null after this statement. The certificate used for timestamping defininitely has the extendedKeyUsage Fields set and it includes the KP_TIMESTAMPING_OID OID.


  To make this reproducible, I captured the network traffic that is sent from the timestamp-server and try to attach the pcap file as well as the certificate used for timestamping.


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Use jarsigner to sign and timestamp a jar-file with the attached certificate.


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Jar file gets timestamped correctly, extended key usage can be extracted correctly from the timestamp server reply.
ACTUAL -
see description, jarsigner crashes because the extended key usage field can't be extracted correctly.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
see description

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
unknown

                                    

Comments
EVALUATION

Seems we falsely use the first certificate in the response cert chain as the TSA cert. In fact, the chain is encoded as a Set and unordered.
                                     
2010-04-01



Hardware and Software, Engineered to Work Together