JDK-6939248 : Jarsigner can't extract Extended Key Usage from Timestamp Reply currectly
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6u18
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2010-03-30
  • Updated: 2011-02-16
  • Resolved: 2010-04-22
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7
6u21 b03Fixed 7Fixed
Description
FULL PRODUCT VERSION :
java version "1.6.0_18"
Java(TM) SE Runtime Environment (build 1.6.0_18-b07)
Java HotSpot(TM) Client VM (build 16.0-b13, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Windows XP SP3

A DESCRIPTION OF THE PROBLEM :
When timestamping a request jarsigner crashes with a null pointer exception:

jarsigner error: java.lang.NullPointerException
java.lang.NullPointerException
        at sun.security.tools.TimestampedSigner.generateTimestampToken(Timestamp
edSigner.java:346)
        at sun.security.tools.TimestampedSigner.generateSignedData(TimestampedSi
gner.java:211)
        at sun.security.tools.SignatureFile$Block.<init>(JarSigner.java:1979)
        at sun.security.tools.SignatureFile.generateBlock(JarSigner.java:1876)
        at sun.security.tools.JarSigner.signJar(JarSigner.java:1024)
        at sun.security.tools.JarSigner.run(JarSigner.java:203)
        at sun.security.tools.JarSigner.main(JarSigner.java:74)

The reason seems to be that line 376/377 extracts the keyPurposes.
keyPurposes = cert.getExtendedKeyUsage();

The keyPurposes variable is null after this statement. The certificate used for timestamping defininitely has the extendedKeyUsage Fields set and it includes the KP_TIMESTAMPING_OID OID.


  To make this reproducible, I captured the network traffic that is sent from the timestamp-server and try to attach the pcap file as well as the certificate used for timestamping.


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Use jarsigner to sign and timestamp a jar-file with the attached certificate.


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Jar file gets timestamped correctly, extended key usage can be extracted correctly from the timestamp server reply.
ACTUAL -
see description, jarsigner crashes because the extended key usage field can't be extracted correctly.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
see description

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
unknown

Comments
EVALUATION Seems we falsely use the first certificate in the response cert chain as the TSA cert. In fact, the chain is encoded as a Set and unordered.
01-04-2010