United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-7174966 With OCSP enabled on Java 7 get error 'Wrong key usage' with Comodo certificate
JDK-7174966 : With OCSP enabled on Java 7 get error 'Wrong key usage' with Comodo certificate

Details
Type:
Bug
Submit Date:
2012-06-07
Status:
Closed
Updated Date:
2013-07-05
Project Name:
JDK
Resolved Date:
2013-05-29
Component:
security-libs
OS:
generic,windows_7
Sub-Component:
java.security
CPU:
x86,generic
Priority:
P3
Resolution:
Fixed
Affected Versions:
6u35,7,7u10,7u25,8
Fixed Versions:
7u40 (b28)

Related Reports
Backport:
Backport:
Relates:

Sub Tasks

Description
FULL PRODUCT VERSION :
java version "1.7.0_04"
Java(TM) SE Runtime Environment (build 1.7.0_04-b22)
Java HotSpot(TM) Client VM (build 23.0-b21, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]

A DESCRIPTION OF THE PROBLEM :

With OCSP enabled in Java 7 you get an error when you try to load a page containing our java applet signed with a Comodo certificate. I tested this with the first release of Java 7 and Java 7 update 4. Both exhibit the same behavior.

With Java 6 update 32 it works as expected.

Analyzing the OCSP traffic indicates that the OCSP response was successful.

Comodo has this to say:
--------------------------------
It appears that Java is not following RFC 2560 which defines how all OCSP responses are to be digitally signed. [ http://www.rfc-editor.org/rfc/rfc2560.txt ; Page 2 ] It says:
" All definitive response messages SHALL be digitally signed. The key
   used to sign the response MUST belong to one of the following:

   -- the CA who issued the certificate in question
   -- a Trusted Responder whose public key is trusted by the requester
   -- a CA Designated Responder (Authorized Responder) who holds a
      specially marked certificate issued directly by the CA, indicating
      that the responder may issue OCSP responses for that CA "

We use the first option of "the CA who issued the certificate in question" but most other CAs such as Verisign (Symantec, Thawte, GeoTrust) and Entrust use the last one "a CA Designated Responder (Authorized Responder) who holds a specially marked certificate issued directly by the CA, indicating that the responder may issue OCSP responses for that CA" where as Java should be supporting all three to be RFC Compliant.
--------------------------------


REGRESSION.  Last worked in version 6u31

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Install any JRE version 7 release.
2. Enable OCSP in Java Control Panel: Click Advanced tab, expand Security, expand General, check Enable Online Certificate Validation.
3. Make an HTML file with the following:
<html>
	<head>
	</head>
	<body>
		<applet code="NonExistingClass" archive="https://www.docuvantageondemand.com/DropZone_Applet/DVStoreDropZone.jar"></applet>
	</body>
</html>

4. Open the HTML file in a browser.




EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
You should get the prompt asking you to trust the certificate in question. Here is the detail:
--------------
The application's digital signature has been verified. Do you want to run the application?

Name: NonExistingClass
Publisher: Document Advantage Corporation
  From: https://www.docuvantageondemand.com
--------------



ACTUAL -
Get an error dialog with this text:
The publisher cannot be verified by a trusted source.
Code will be treated as unsigned.

Name: NonExistingClass
ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage



ERROR MESSAGES/STACK TRACES THAT OCCUR :
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
	at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
	at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
	at sun.security.validator.Validator.validate(Unknown Source)
	at sun.security.validator.Validator.validate(Unknown Source)
	at sun.security.validator.Validator.validate(Unknown Source)
	at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
	at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.getTrustedCodeSources(Unknown Source)
	at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source)
	at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
	at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
	at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
	at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
Caused by: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown Source)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
	at java.security.cert.CertPathValidator.validate(Unknown Source)
	... 36 more
Caused by: java.security.InvalidKeyException: Wrong key usage
	at java.security.Signature.initVerify(Unknown Source)
	at sun.security.provider.certpath.OCSPResponse.verifyResponse(Unknown Source)
	at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at sun.security.provider.certpath.OCSPChecker.check(Unknown Source)
	... 40 more


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
The problem lies with the signing certificate that was used so this does not apply.
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Uninstall Java 7 and install Java 6 update 32.

                                    

Comments
The following test case fails with JDK 7:

CertPath/CertPathValidatorTest/OCSP_comodo.com

Log: http://stt-13.ru.oracle.com/results/1.7.0_10/b13/security/solaris10-x64-32/solaris10-x64-32_13A94F20AE7/ResultDir/OCSP_comodo.com/OCSP_comodo.com.log

This test case was added for interop testing with real CAs (see INTJDK-7200462 for more details)
                                     
2012-10-26
The following test fails with JDK 6u35 b10:

CertPath/CertPathValidatorTest/OCSP_comodo.com

Log: http://aurora-ds.ru.oracle.com:9500/runs/124246.ManualSubmit-1/ResultDir/OCSP_comodo.com/OCSP_comodo.com.log


                                     
2012-11-13
Also affected 

CertPath/CertPathValidatorTest/OCSP#OCSP_comodo.com 
JDK 7u10 b13 armvfp
                                     
2012-11-15
Is this needed for 7u10 ? Please add comment.
                                     
2012-11-19
I think it is too late for 7u10
                                     
2012-11-20
I cannot reproduce this issue using the instructions above. The URL cited in the instructions uses a GeoTrust cert rather than a Comodo cert.
This is not a showstopper for 7u10. It was first reported against 7u4.
                                     
2012-11-21
Maybe i was wrong but error looks like error in comment that added at 2012-11-13 :
http://aurora-ds.ru.oracle.com:9500/runs/119470.JAVASE.PROMOTION.ALL-447/results/ResultDir/OCSP_comodo.com/OCSP_comodo.com.log
                                     
2012-11-20
SQE is OK to defer it to 7u12/6u40
                                     
2012-11-21
Vincent,

to reproduce the failure please try the following:

cp -r /net/stt-13/export/home0/testsuites/170_int_ws/security/src/CertPath/CertPathValidatorTest/OCSP/testcase/ .
cp -r /net/stt-13/export/home0/testsuites/170_int_ws/security/src/CertPath/CertPathValidatorTest/OCSP/data/ .
cp -r /net/stt-13/export/home0/testsuites/170_int_ws/security/src/CertPath/CertPathValidatorTest/OCSP/TestOCSP.java .
javac TestOCSP.java
java TestOCSP testcase/comodo.com/good

I reproduced it on 7u9 b05:

========================================================
TEST_CASE: testcase/comodo.com/good
========================================================
PROXY_HOST:www-proxy.us.oracle.com
PROXY_PORT:80
OCSP_ENABLE:true
OCSP_RESPONDER_URL:http://ocsp.comodoca.com
OCSP_RESPONDER_CERT_SUBJECT_NAME:CN=COMODO Extended Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
OCSP_RESPONDER_CERT_ISSUER_NAME:CN=COMODO Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
OCSP_RESPONDER_CERT_SERIAL_NUMBER:23446887702680994416037986387975286594
TRUSTED_ROOT:./data/comodo.com/trusted_cert.pem
EE_CERT:./data/comodo.com/good_cert.pem
EXPECTED_EXCEPTION:null
========================================================
Got an exception:
java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage

TEST_RESULT: FAIL
java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:159)
	at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
	at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
	at TestOCSP.run(TestOCSP.java:219)
	at TestOCSP.main(TestOCSP.java:57)
Caused by: java.security.InvalidKeyException: Wrong key usage
	at java.security.Signature.initVerify(Signature.java:490)
	at sun.security.provider.certpath.OCSPResponse.verifyResponse(OCSPResponse.java:524)
	at sun.security.provider.certpath.OCSPResponse.<init>(OCSPResponse.java:494)
	at sun.security.provider.certpath.OCSP.check(OCSP.java:261)
	at sun.security.provider.certpath.OCSPChecker.check(OCSPChecker.java:368)
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)
	... 5 more

                                     
2012-11-22
CertPath/CertPathValidatorTest/OCSP_verisign.com  failed in JDK7u12 JFR PIT b01

See log : http://aurora-ds.ru.oracle.com:9500/runs/127602.CORELIBS-JDK8-PROMOTION-SQE-4/results/ResultDir/OCSP_verisign.com/OCSP_verisign.com.log

Got Exception :
java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key
[2012-11-23T15:36:19.15]  usage
[2012-11-23T15:36:19.15] 
[2012-11-23T15:36:19.15] TEST_RESULT: FAIL
[2012-11-23T15:36:19.15] java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
[2012-11-23T15:36:19.15] 	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:159)
[2012-11-23T15:36:19.15] 	at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
[2012-11-23T15:36:19.15] 	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
[2012-11-23T15:36:19.15] 	at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
[2012-11-23T15:36:19.15] 	at TestOCSP.run(TestOCSP.java:219)
[2012-11-23T15:36:19.15] 	at TestOCSP.main(TestOCSP.java:57)
[2012-11-23T15:36:19.15] Caused by: java.security.InvalidKeyException: Wrong key usage
[2012-11-23T15:36:19.15] 	at java.security.Signature.initVerify(Signature.java:490)
[2012-11-23T15:36:19.15] 	at sun.security.provider.certpath.OCSPResponse.verifyResponse(OCSPResponse.java:524)
[2012-11-23T15:36:19.15] 	at sun.security.provider.certpath.OCSPResponse.<init>(OCSPResponse.java:494)
[2012-11-23T15:36:19.15] 	at sun.security.provider.certpath.OCSP.check(OCSP.java:261)
[2012-11-23T15:36:19.15] 	at sun.security.provider.certpath.OCSPChecker.check(OCSPChecker.java:368)
[2012-11-23T15:36:19.15] 	at sun.securit
[2012-11-23T15:36:19.38] y.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)
[2012-11-23T15:36:19.38] 	... 5 more
[2012-11-23T15:36:19.38] 
                                     
2012-12-04
 CertPath/CertPathValidatorTest/OCSP_comodo.com failed with 7u15 nightly
http://aurora-ds.ru.oracle.com:9500/runs/163035.CORELIBS-JDK8-NIGHTLY-SQE-4/results/ResultDir/OCSP_comodo.com/OCSP_comodo.com.log
                                     
2013-02-05
OCSP revocation checking fails with Entrust SSL certificates. Affected tests:

CertPath/CertPathValidatorTest/OCSP_entrust.net_valid
CertPath/CertPathValidatorTest/OCSP_entrust.net_revoked
                                     
2013-05-23
URL:   http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/d61d06e30d0b
User:  vinnie
Date:  2013-05-29 19:12:36 +0000

                                     
2013-05-29
URL:   http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/d61d06e30d0b
User:  lana
Date:  2013-06-03 19:46:42 +0000

                                     
2013-06-03
Affected tests passed on 7u40 b31

CertPath/CertPathValidatorTest/OCSP_verisign.com
CertPath/CertPathValidatorTest/OCSP_comodo.com
CertPath/CertPathValidatorTest/OCSP_entrust.net_valid 
CertPath/CertPathValidatorTest/OCSP_entrust.net_revoked

Report: http://aurora-ds.us.oracle.com:9500/runs/245702.ute.st2-1/results/tonga.output/Summary.report
                                     
2013-07-05



Hardware and Software, Engineered to Work Together