JDK-5056088 : REGRESSION: Java Web Start can't start dowloaded application
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 5.0
  • Priority: P3
  • Status: Closed
  • Resolution: Not an Issue
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2004-06-02
  • Updated: 2004-06-03
  • Resolved: 2004-06-03
Related Reports
Relates :  
JDK-6355119 - Non-codeSigning certificates shouldn't be used for signing jars
Description
Name: gm110360			Date: 06/01/2004


FULL PRODUCT VERSION :
JDK1.5.0-beta2-b51

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]

A DESCRIPTION OF THE PROBLEM :
Java Web Start in JDK1.5.0-beta2 is unable to start an application that works perfectly well in Java 1.4.2.

The application in question uses the all-permisions JNLP tag and as such is signed. It seems that something about the signitues on the Jars is causing WebStart to break.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) open a link for a signed JWS application that requiers all-permissions
2) wait for application to download
3) Web Start will say "starting application..."

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Application starts
ACTUAL -
watched it popup warning dialog saying "Failed to validate certificate. This application will not be run."

ERROR MESSAGES/STACK TRACES THAT OCCUR :
 "Failed to validate certificate. This application will not be run."

Exception was:
java.security.cert.CertificateException: Check leaf key usage failed in certificate
        at com.sun.deploy.security.CertUtils.checkUsageForCodeSigning (Unknown source)
        ...

there's no way to copy the exception from the exception dialog so i've had to type exception fragment in.

REPRODUCIBILITY :
This bug can be reproduced always.

Release Regression From : 1.4.2
The above release value was the last known release where this 
bug was known to work. Since then there has been a regression.

(Incident Review ID: 275416) 
======================================================================
Comments
EVALUATION the exception is caused by the check in CertUtils.java, method checkLeafKeyUsageForCodeSigning, we do a check on if (extKeyUsageInfo.contains(OID_EKU_ANY_USAGE) == false && extKeyUsageInfo.contains(OID_EKU_CODE_SIGNING) == false) { Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.extkeyusageinfo"); return false; } It returned false here because the extKeyUsageInfo does not contains OID_EKU_ANY_USAGE and OID_EKU_CODE_SIGNING. It only contains OID_EKU_SERVER_AUTH and OID_EKU_CLIENT_AUTH. Therefore the exception is thrown. We do not have such check in 1.4.2 java web start. ###@###.### 2004-06-02 the problem is the application jar is signed with a server certificate. it should be signed with a coding signing certificate instead. ###@###.### 2004-06-02
02-06-2004