United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-7197652 Impossible to run any signed JNLP applications or applets, OCSP off by default
JDK-7197652 : Impossible to run any signed JNLP applications or applets, OCSP off by default

Details
Type:
Bug
Submit Date:
2012-09-11
Status:
Closed
Updated Date:
2013-07-17
Project Name:
JDK
Resolved Date:
2012-12-13
Component:
security-libs
OS:
generic,windows_7
Sub-Component:
java.security
CPU:
x86,generic
Priority:
P2
Resolution:
Fixed
Affected Versions:
7,7u7,8
Fixed Versions:
7u40 (b08)

Related Reports
Backport:
Backport:
Backport:
Backport:
Duplicate:
Relates:
Relates:

Sub Tasks

Description
FULL PRODUCT VERSION :
Java 1.7 update 7

ADDITIONAL OS VERSION INFORMATION :
Windows 7 64 bits

A DESCRIPTION OF THE PROBLEM :
OSCP was enabled by default until Java 1.6. Now, it is disabled by default. When I try to run a signed applet or a signed application, it simply fails.

REGRESSION.  Last worked in version 6u31

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Go to http://jogamp.org/deployment/jogamp-current/jogl-demos/jogl-newt-applet-runner-gears.html

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The famous Gears demo works.
ACTUAL -
You can see the actual result here: http://forum.jogamp.org/file/n4026082/jogamp-cert-key-7.png

Someone else has a similar problem with SKT editor here: http://www.java.net/forum/topic/jdk/java-se-snapshots-project-feedback/os-x-jdk-7u6-will-not-run-signed-jnlp-apps



ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at com.sun.deploy.security.TrustDecider.doCheckRevocationStatus(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Thread.java:722)
Caused by: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at sun.security.provider.certpath.OCSPResponse.verifyResponse(OCSPResponse.java:541)
at sun.security.provider.certpath.OCSPResponse.(OCSPResponse.java:494)
at sun.security.provider.certpath.OCSP.check(OCSP.java:261)
at sun.security.provider.certpath.OCSP.check(OCSP.java:165)
at sun.security.provider.certpath.OCSP.check(OCSP.java:130)
at com.sun.deploy.security.TrustDecider.doOCSPEEValidation(Unknown Source)
... 16 more
Caused by: java.security.InvalidKeyException: Wrong key usage
at java.security.Signature.initVerify(Signature.java:490)
at sun.security.provider.certpath.OCSPResponse.verifyResponse(OCSPResponse.java:524)
... 21 more

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
https://github.com/sgothel/jogl-demos/blob/master/src/demos/gears/Gears.java
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Open the Java Control Panel and go to System Preferences > Other > Java > Advanced > "Enable online certificate validation" (the end users should not have to do this by default, it is really annoying).

                                    

Comments
WORK AROUND

Open the Java Control Panel and go to System Preferences > Other > Java > Advanced > "Enable online certificate validation"

or 

In the deployment.properties file set deployment.security.validation.ocsp=true
                                     
2012-09-18
EVALUATION

Address the root cause. The root cause is described in CR 7197652.
                                     
2012-09-20
URL:   http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/d2cb9e7a0e52
User:  vinnie
Date:  2012-12-13 15:31:53 +0000

                                     
2012-12-13
URL:   http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/d2cb9e7a0e52
User:  lana
Date:  2012-12-28 18:30:44 +0000

                                     
2012-12-28
Verified with TL nightly failures for last 15 days. Test ValidateUsingExternalOCSP passed in nightly regression:
http://aurora.ru.oracle.com/functional/faces/RunDetails.xhtml?names=196610.CORELIBS-JDK8-NIGHTLY-JTREG-13
                                     
2013-04-05



Hardware and Software, Engineered to Work Together