Duplicate :
|
FULL PRODUCT VERSION : ADDITIONAL OS VERSION INFORMATION : Microsoft Windows [Version 6.1.7601] EXTRA RELEVANT SYSTEM CONFIGURATION : The client should be joined to a wireless network with a captive portal enabled. The captive portal should allow the user to get to http://serverurl but not to http://ocsp.thawte.com As the client loads the applet from serverurl, java will try to query ocsp at ocsp.thawte.com. The captive portal will respond with a 302, redirecting the client to a web login page. Unlike a 404 error code, which java handles gracefully, java will crash when trying to parse the non-ocsp response. A DESCRIPTION OF THE PROBLEM : The issue occurs when joined to a network that has a captive portal. As an applet loads, Java tries to call the OCSP URL (ocsp.thawte.com in our case) to verify the code signing certificate. The captive portal responds with a 302 Redirect, redirecting the client to a web login page. Java follows the redirect and receives the web login page's content. Then, it attempts to parse the html as an OCSP response and crashes. User is given a generic " Error occurred " message. As the client loads the applet from serverurl, java will try to query ocsp at ocsp.thawte.com. The captive portal will respond with a 302, redirecting the client to a web login page. Unlike a 404 error code, which java handles gracefully, java will crash when trying to parse the non-ocsp response. Java should handle the invalid OCSP response the same as a 404. STEPS TO FOLLOW TO REPRODUCE THE PROBLEM : The client should be joined to a wireless network with a captive portal enabled. The captive portal should allow the user to get to http://serverurl but not to http://ocsp.thawte.com As the client loads the applet from serverurl, java will try to query ocsp at ocsp.thawte.com. The captive portal will respond with a 302, redirecting the client to a web login page. Unlike a 404 error code, which java handles gracefully, java will crash when trying to parse the non-ocsp response. Alternate: For simpler testing, generate a code signing certificate with the ocsp URL set to http://www.google.com Sign the applet with this certificate. Make sure the certificate's CA is in the clients trust store. With this, Java will call http://www.google.com directly (without the need for a 302) and the OSCP parsing will crash while parsing the google html. EXPECTED VERSUS ACTUAL BEHAVIOR : EXPECTED - Java should handle the invalid OCSP response the same as a 404. ACTUAL - Java throws an exception and gives user a generic " Error occurred " message. ERROR MESSAGES/STACK TRACES THAT OCCUR : java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: java.io.IOException: extra data given to DerValue constructor at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source) at com.sun.deploy.security.RevocationChecker.check(Unknown Source) at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source) at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source) at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source) at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.getTrustedCodeSources(Unknown Source) at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source) at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source) at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source) at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source) at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source) at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source) at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source) at java.lang.Thread.run(Thread.java:724) Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source) ... 34 more Caused by: java.security.cert.CertPathValidatorException: java.io.IOException: extra data given to DerValue constructor at sun.security.provider.certpath.OCSP.check(OCSP.java:288) at sun.security.provider.certpath.OCSP.check(OCSP.java:189) at sun.security.provider.certpath.OCSP.check(OCSP.java:154) ... 35 more Caused by: java.io.IOException: extra data given to DerValue constructor at sun.security.util.DerValue.init(DerValue.java:384) at sun.security.util.DerValue.<init>(DerValue.java:294) at sun.security.provider.certpath.OCSPResponse.<init>(OCSPResponse.java:194) at sun.security.provider.certpath.OCSP.check(OCSP.java:285) REPRODUCIBILITY : This bug can be reproduced always. CUSTOMER SUBMITTED WORKAROUND : Redesign the network to return a 404, but this is difficult given the massive IP space of the OCSP URLs.