United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-8029788 : Certificate validation - java.lang.ClassCastException

Details
Type:
Bug
Submit Date:
2013-12-08
Status:
Closed
Updated Date:
2014-01-14
Project Name:
JDK
Resolved Date:
2013-12-17
Component:
security-libs
OS:
generic
Sub-Component:
java.security
CPU:
generic
Priority:
P1
Resolution:
Fixed
Affected Versions:
8
Fixed Versions:

Related Reports
Backport:
Duplicate:
Duplicate:
Relates:

Sub Tasks

Description
It appears to be a regression in JRE8-b119 as signed applet failed to load due to certificate validation failure. 
The issue caused by  java.lang.ClassCastException: com.sun.deploy.security.X509CertificateWrapper cannot be cast to sun.security.x509.X509CertImpl

The same applet loaded fine if using JRE8-b118 

*** Tested Configurations
- x86 Win7
- IE 9, FF 25 ,GC 31
- jre 8-b118, b119

*** Steps to reproduce:
0) Install jre 8-b119
1) Enable the certificate revocation checks by default 
2) Use any browser to load the signed test applet:
http://www.oxygenxml.com/demo/AuthorDemoApplet/author-component-dita.html

Wait for applet resources to download and at the end, if you see the certificate validation failed due to java.lang.ClassCastException: com.sun.deploy.security.X509CertificateWrapper cannot be cast to sun.security.x509.X509CertImpl, the issue is reproducible

The problem does not occur if using jre 8-b118 
                                    

Comments
RULE closed/java/security/cert/CertPathValidator/OCSP/ValidateUsingOCSPCache.java Exception java.lang.ClassCastException: X509CertificateWrapper cannot be cast to sun.security.x509.X509CertImpl
                                     
2014-01-14
java/security/cert/CertPathValidator/OCSP/ValidateUsingOCSPCache.java have passed since B122
                                     
2014-01-10
URL:   http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/68c31754f925
User:  lana
Date:  2013-12-24 18:59:06 +0000

                                     
2013-12-24
Oralce Forms reported the same issue - 

Steps to Reproduce (be specific):

1)Install the latest JDK8 Buld 120 on windows 7.

2)Run the below given URL:-
http://adc2180645.us.oracle.com:8888/forms/frmservlet.

3)An application Blocked security warning is displayed as "Falied to validate certificate and the application will not be executed".On clicking More Information button you can see the below exception list:
java.lang.ClassCastException: com.sun.deploy.security.X509CertificateWrapper cannot be cast to sun.security.x509.X509CertImpl
	at sun.security.provider.certpath.OCSPResponse.verify(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
	at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
	at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
	at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
	at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
	at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.getTrustedCodeSources(Unknown Source)
	at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source)
	at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
	at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
	at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
	at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
	at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)


4)On Clicking the OK button an application error is thrown which states that "User has denied the privileges to the code".Please refer attachment "JDK8_B120.jpg" attached with the same mail.


                                     
2013-12-23
Release team: Approved for fixing
                                     
2013-12-17
URL:   http://hg.openjdk.java.net/jdk8/tl/jdk/rev/68c31754f925
User:  vinnie
Date:  2013-12-17 23:05:18 +0000

                                     
2013-12-17
Affected tests:
JawsOcspAndCrlCheckTest::testWholeChainValidCheckWholeJNLP
                                     
2013-12-13
SQE approves this critical request.
This is a regression. The regression test coverage is good.
                                     
2013-12-12
This issue will happen on Windows 8.1 x64,Windows 7 SP1 x86,Ubuntu 12.04 x86 and Mac OS 10.8 (x64) using jre8b119 for applet

set3/jgames_ChineseChecker
set3/jgames_Middoploy
set3/jgames_NavyBattle
                                     
2013-12-11
This issue will happen on Windows 7 SP1 x86 and Windows 8 x64 using jre8b119 for plugin

entrustScenarios/ClassicPreserve
entrustScenarios/ClassicReplace
entrustScenarios/Toolkit
oraclePreTrustedCertManualScenarios/testJavaRemovalApplet
                                     
2013-12-11
I do not think deploy integrated anything in b119.  Wonder if something changed in jre.

what's the full stack trace ?
                                     
2013-12-09
The problem is in OCSPResponse.verify:

            certs.add((X509CertImpl) issuerCert);

We incorrectly assume the certificate is an instanceof X509CertImpl. Since these internal APIs are called by deployment code which passes in their own subclass of X509Certificate, that is not always true.

The fix is to use X509CertImpl.toImpl() to first convert it to an X509CertImpl.
                                     
2013-12-09
All applets/applications using CRL/OCSP are failing(including Entrust test applets) due to this bug and everything works fine if I disable the OCSP/CRL check.
                                     
2013-12-09
Exception details:
java.lang.ClassCastException: com.sun.deploy.security.X509CertificateWrapper cannot be cast to sun.security.x509.X509CertImpl
	at sun.security.provider.certpath.OCSPResponse.verify(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
	at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
	at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
	at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
	at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
	at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
	at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
	at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
	at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
	at sun.plugin2.applet.JNLP2Manager.prepareLaunchFile(Unknown Source)
	at sun.plugin2.applet.JNLP2Manager.loadJarFiles(Unknown Source)
	at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)


- trace file attached 

                                     
2013-12-09



Hardware and Software, Engineered to Work Together