JDK-8173632 : Verification of Java Web Start Jar results in 'Unsigned resource' since Java 8 update 121
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 8u121,9
  • Priority: P2
  • Status: Closed
  • Resolution: Not an Issue
  • OS: windows_7
  • CPU: x86_64
  • Submitted: 2017-01-30
  • Updated: 2017-05-15
  • Resolved: 2017-02-23
Related Reports
Duplicate :  
JDK-8173734 - Java 8u121 WebStart can cause "Unsigned application requesting unrestricted access to system" error
Duplicate :  
JDK-8173733 - Jar verifies through cmd but fails on launching JNLP file through JAVAWS
Relates :  
JDK-8179351 - Starting a correctly signed application working well with pre-8u121 fails
Relates :  
JDK-8173734 - Java 8u121 WebStart can cause "Unsigned application requesting unrestricted access to system" error
Description
FULL PRODUCT VERSION :
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
Microsoft Windows [Version 10.0.14393]

EXTRA RELEVANT SYSTEM CONFIGURATION :
Before Testing:
'javaws -uninstall' was called
and Security Prompts were restored.

A DESCRIPTION OF THE PROBLEM :
Since updating to Java 8 update 121 our web start application fails with: 'Unsigned application requesting unrestricted access to the system'.
And unsigned resource: 'syntheticaAddonsWithThemes-6.0.0.123104.jar'
The same application worked with Java 8 update 111 and it is signed with a valid certificate using current algorithms.


Verifying with Java 8 update 121 (instructions found in an Oracle Blog entry):
jarsigner -verify -J-Djava.security.debug=jar syntheticaAddonsWithThemes-6.0.0.123104.jar >out.txt 2>&1

Results in:
jar verified.
at the end.

We have newer jar (syntheticaAddonsWithThemes-6.0.0.140843.jar) that was signed like the older one and it doesn't show that behavior. The only difference between the two Jars seems to be a slightly different META-INF/*.RSA File.

REGRESSION.  Last worked in version 8u111

ADDITIONAL REGRESSION INFORMATION: 
java version "1.8.0_111"
Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.111-b14, mixed mode)

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
We uploaded a small sample that fails at the verification step with Java 8 update 121:
https://jre-tests.s3.amazonaws.com/not-working/webstart-notworking.jnlp

The failing Jar is here:
https://jre-tests.s3.amazonaws.com/not-working/clientlib/signed/syntheticaAddonsWithThemes-6.0.0.123104.jar

To reproduce:
1. Install Java 8 update 121
2. Start the JNLP above.
(it contains no Main method, so it won't execute anything and would fail afterwards)




----
We also have a working sample for reference (but we don't know why one is working and one is not):
JNLP: https://jre-tests.s3.amazonaws.com/working/webstart-working.jnlp
JAR: https://jre-tests.s3.amazonaws.com/working/clientlib/signed/syntheticaAddonsWithThemes-6.0.0.140843.jar


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
We would expect following Java Web Start Dialog appear: "Do you want to run this application?"

With the possibility to Click on the "Run" Button.
(it contains no Main method, so it won't execute anything and would fail afterwards)
The Main class in the JNLP is defined as "if.we.got.here.the.verification.was.successful.but.we.dont.get.here.with.java8.u121"
ACTUAL -
Dialog "Unable to launch the application" is shown.

Screenshot taken on Windows 10:
http://answers.axonivy.com/upfiles/java8-error-webstart.png


And following Exception:

JNLPException[category: Security Error : Exception: null : LaunchDesc: 
<jnlp spec="1.0+" xmlns:jfx="http://javafx.com" href="https://jre-tests.s3.amazonaws.com/not-working/webstart-notworking.jnlp">
  <information>
    <title>Not working Sample to demonstrate Webstart issue</title>
    <description>Not working Sample to demonstrate Webstart issue</description>
  </information>
  <resources>
    <j2se version="1.8+" initial-heap-size="64m" max-heap-size="512m"/>
    <jar href="https://jre-tests.s3.amazonaws.com/not-working/clientlib/signed/syntheticaAddonsWithThemes-6.0.0.123104.jar"/>
  </resources>
  <security>
    <all-permissions/>
  </security>
  <application-desc main-class="if.we.got.here.the.verification.was.successful.but.we.dont.get.here.with.java8.u121"/>
</jnlp> ]
	at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
	at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.launch(Unknown Source)
	at com.sun.javaws.Main.launchApp(Unknown Source)
	at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
	at com.sun.javaws.Main.access$000(Unknown Source)
	at com.sun.javaws.Main$1.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)

ERROR MESSAGES/STACK TRACES THAT OCCUR :
JNLPException[category: Security Error : Exception: null : LaunchDesc: 
<jnlp spec="1.0+" xmlns:jfx="http://javafx.com" href="https://jre-tests.s3.amazonaws.com/not-working/webstart-notworking.jnlp">
  <information>
    <title>Not working Sample to demonstrate Webstart issue</title>
    <description>Not working Sample to demonstrate Webstart issue</description>
  </information>
  <resources>
    <j2se version="1.8+" initial-heap-size="64m" max-heap-size="512m"/>
    <jar href="https://jre-tests.s3.amazonaws.com/not-working/clientlib/signed/syntheticaAddonsWithThemes-6.0.0.123104.jar"/>
  </resources>
  <security>
    <all-permissions/>
  </security>
  <application-desc main-class="if.we.got.here.the.verification.was.successful.but.we.dont.get.here.with.java8.u121"/>
</jnlp> ]
	at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
	at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.launch(Unknown Source)
	at com.sun.javaws.Main.launchApp(Unknown Source)
	at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
	at com.sun.javaws.Main.access$000(Unknown Source)
	at com.sun.javaws.Main$1.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)

REPRODUCIBILITY :
This bug can be reproduced always.
Comments
Therefore based on explanation provided in my previous comment I consider that this issue is not a bug in JDK 8u121 and is not a regression. Removing "regression" label. Closing the issue with "Not an Issue" resolution.
23-02-2017
The issue was reproduced using the test case from a description of the bug on MS Windows 7 OS with: - JDK 9 b157 x64, JDK 9 b154 x64, JDK 8u121 b13 x64, JDK 8u121 b12 x64 The issue could not be reproduced on the same host with: - JDK 9 b153 x64, JDK 8u121 b11 x64, JDK 8u111 b14 x64 It was defined that: 1. The issue affects JDK 9 and appeared in JDK 9 b154, JDK 8u121 b12. 2. The issue is a result of functioning of the fix for the bug JDK-8168714, because it was practically proven that reversion of part of the fix JDK-8168714 in the file "jdk/src/share/classes/sun/security/util/DerInputBuffer.java" allows to resolve the issue in JDK 8u121 b12. VERIFICATION OF JAR FILES WITH "JARSIGNER" TOOL: Both not working and working JAR files were verified by means of "jarsigner" tool from JDK 8u121 b13 by executing the command: "<JDK_HOME_DIR>\bin\jarsigner.exe -verify -verbose -J-Djava.security.debug=jar <JAR_FILE_NAME>". Full output of this command is available in the next attached 2 files: - "JarsignerOutputForNotWorkingJAR.txt" (For not working JAR "syntheticaAddonsWithThemes-6.0.0.123104.jar") - "JarsignerOutputForWorkingJAR.txt" (For working JAR "syntheticaAddonsWithThemes-6.0.0.140843.jar") REASON OF THE ISSUE: Not working JAR file "syntheticaAddonsWithThemes-6.0.0.123104.jar" is considered as unsigned, because the file "META-INF/AXON_IVY.RSA" from JAR cannot be parsed and the following exception, which can be found in the attached file "JarsignerOutputForNotWorkingJAR.txt", "java.io.IOException: Invalid encoding: redundant leading 0s" occurs as a result of additional security check introduced by the fix JDK-8168714. This change is documented in the release notes of JDK 8u121 in the section "More checks added to DER encoding parsing code". URL of JDK 8u121 release notes: http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
23-02-2017
From email - SF/Anton - Anton wrote : "The issue was reproduced starting analysis of the issue. "
21-02-2017
Checked this with 8u111 b14 to 9 ea and could confirm the issue with 8u121 and 8u131 b04. Results: ========== 8u111 b14: OK 8u112 b15: OK 8u121 b13: FAIL 8u122 ea b04: FAIL 8u131 b04: FAIL 9 ea b154: OK This seems a regression from 8u121 and onwards, though issue is not reproducible with 9 ea. To reproduce, run the following jnlp: https://jre-tests.s3.amazonaws.com/not-working/webstart-notworking.jnlp
30-01-2017