United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-7197652 : Impossible to run any signed JNLP applications or applets, OCSP off by default

Details
Type:
Bug
Submit Date:
2012-09-11
Status:
Closed
Updated Date:
2015-10-14
Project Name:
JDK
Resolved Date:
2012-12-13
Component:
security-libs
OS:
generic,windows_7
Sub-Component:
java.security
CPU:
generic,x86
Priority:
P2
Resolution:
Fixed
Affected Versions:
7,7u7,8
Fixed Versions:
7u40 (b08)

Related Reports
Backport:
Backport:
Backport:
Backport:
Duplicate:
Relates:
Relates:

Sub Tasks

Description
FULL PRODUCT VERSION :
Java 1.7 update 7

ADDITIONAL OS VERSION INFORMATION :
Windows 7 64 bits

A DESCRIPTION OF THE PROBLEM :
OSCP was enabled by default until Java 1.6. Now, it is disabled by default. When I try to run a signed applet or a signed application, it simply fails.

REGRESSION.  Last worked in version 6u31

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Go to http://jogamp.org/deployment/jogamp-current/jogl-demos/jogl-newt-applet-runner-gears.html

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The famous Gears demo works.
ACTUAL -
You can see the actual result here: http://forum.jogamp.org/file/n4026082/jogamp-cert-key-7.png

Someone else has a similar problem with SKT editor here: http://www.java.net/forum/topic/jdk/java-se-snapshots-project-feedback/os-x-jdk-7u6-will-not-run-signed-jnlp-apps



ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at com.sun.deploy.security.TrustDecider.doCheckRevocationStatus(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Thread.java:722)
Caused by: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at sun.security.provider.certpath.OCSPResponse.verifyResponse(OCSPResponse.java:541)
at sun.security.provider.certpath.OCSPResponse.(OCSPResponse.java:494)
at sun.security.provider.certpath.OCSP.check(OCSP.java:261)
at sun.security.provider.certpath.OCSP.check(OCSP.java:165)
at sun.security.provider.certpath.OCSP.check(OCSP.java:130)
at com.sun.deploy.security.TrustDecider.doOCSPEEValidation(Unknown Source)
... 16 more
Caused by: java.security.InvalidKeyException: Wrong key usage
at java.security.Signature.initVerify(Signature.java:490)
at sun.security.provider.certpath.OCSPResponse.verifyResponse(OCSPResponse.java:524)
... 21 more

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
https://github.com/sgothel/jogl-demos/blob/master/src/demos/gears/Gears.java
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Open the Java Control Panel and go to System Preferences > Other > Java > Advanced > "Enable online certificate validation" (the end users should not have to do this by default, it is really annoying).

                                    

Comments
URL:   http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/d2cb9e7a0e52
User:  lana
Date:  2012-12-28 18:30:44 +0000

                                     
2012-12-28
URL:   http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/d2cb9e7a0e52
User:  vinnie
Date:  2012-12-13 15:31:53 +0000

                                     
2012-12-13
EVALUATION

Address the root cause. The root cause is described in CR 7197652.
                                     
2012-09-20
WORK AROUND

Open the Java Control Panel and go to System Preferences > Other > Java > Advanced > "Enable online certificate validation"

or 

In the deployment.properties file set deployment.security.validation.ocsp=true
                                     
2012-09-18



Hardware and Software, Engineered to Work Together