JDK-6945145 : PKIX path validation failed: App won't start when offline when using JOGL/Win7
  • Type: Bug
  • Component: deploy
  • Sub-Component: deployment_toolkit
  • Affected Version: 6u10
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • OS: solaris_8,windows_xp
  • CPU: x86
  • Submitted: 2010-04-19
  • Updated: 2013-09-12
  • Resolved: 2010-10-11
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7
6u23 b02Fixed 7Fixed
Related Reports
Relates :  
JDK-6869739 - Cannot check revocation of single certificate without validating the entire chain
Description
FULL PRODUCT VERSION :
1.6.0_18-b07

ADDITIONAL OS VERSION INFORMATION :
Windows 7

A DESCRIPTION OF THE PROBLEM :
An application using Java Web Start fails to start when offline when the jnlp file has the JOGL extension, on Windows 7 machines. This is similar to earlier bugs but this is only failing on Windows 7. It works fine with other OS's (linux, mac, and even WinXP) but fails in Windows 7. Also it only fails with the JOGL extension in the jnlp. Without that, it works (after compiling the program not to use 3d). The extension is the element:

<extension name="jogl" href="http://download.java.net/media/jogl/builds/archive/jsr-231-webstart-current/jogl.jnlp"/>

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
If the description above is not enough, I will write a simple example. But just take some jnlp file you use and add the jogl extension above to the resources and you should see the behaviour under a windows 7 OS.


ERROR MESSAGES/STACK TRACES THAT OCCUR :
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: java.net.SocketException:
Connection reset
��at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
��at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
��at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
��at sun.security.validator.Validator.validate(Unknown Source)
��at sun.security.validator.Validator.validate(Unknown Source)
��at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown
Source)
��at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown
Source)
��at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(Unknown Source)
��at com.sun.javaws.LaunchDownload.checkSignedResources(Unknown Source)
��at com.sun.javaws.Launcher.prepareResources(Unknown Source)
��at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
��at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
��at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
��at com.sun.javaws.Launcher.launch(Unknown Source)
��at com.sun.javaws.Main.launchApp(Unknown Source)
��at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
��at com.sun.javaws.Main$1.run(Unknown Source)
��at java.lang.Thread.run(Unknown Source)
Caused by: java.security.cert.CertPathValidatorException:
java.net.SocketException: Connection reset
��atsun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown
Source)
��at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown
Source)
��atsun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown
Source)
��at java.security.cert.CertPathValidator.validate(Unknown Source)
��... 18 more
Caused by: java.net.SocketException: Connection reset
��at java.net.SocketInputStream.read(Unknown Source)
��at java.io.BufferedInputStream.fill(Unknown Source)
��at java.io.BufferedInputStream.read1(Unknown Source)
��at java.io.BufferedInputStream.read(Unknown Source)
��at sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source)
��at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
��at sun.net.www.http.HttpClient.parseHTTP(Unknown Source)
��at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
Source)
��at sun.security.provider.certpath.OCSP.check(Unknown Source)
��at sun.security.provider.certpath.OCSPChecker.check(Unknown Source)
��... 22 more


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
I will write something if you need.
---------- END SOURCE ----------

Release Regression From : 6u17
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.
Comments
EVALUATION In 6u18, we added a new security dialog for installing trusted extensions. As part of that change, we verify that the certificate used to sign the extension has not been revoked via OCSP. If there is a network failure connecting to the OCSP server to download revocation information it is supposed to be treated as a non-failure (revocation still passes). However, there is a bug in that logic, and the network timeout is erroneously percolating upwards as an exception.
01-06-2010
EVALUATION We need to make code more robust against transient network errors.
26-04-2010
EVALUATION I have tested it using JRE 6u20 on Window 7 machine, after running it successfully, disconnect it from internet and run it from desktop shotcut, it works fine. I have contact submitter and will close this bug.
26-04-2010