JDK-6967410 : wrongly mixed code warning for signed and unsigned unsafe code combination
  • Type: Bug
  • Component: deploy
  • Sub-Component: deployment_toolkit
  • Affected Version: 6u20
  • Priority: P3
  • Status: Resolved
  • Resolution: Cannot Reproduce
  • OS: windows_2000
  • CPU: x86
  • Submitted: 2010-07-07
  • Updated: 2014-07-30
  • Resolved: 2014-02-12
Description
FULL PRODUCT VERSION :
java version "1.6.0_20"
Java(TM) SE Runtime Environment (build 1.6.0_20-b02)
Java HotSpot(TM) Client VM (build 16.3-b01, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows 2000 [Version 5.00.2195]

A DESCRIPTION OF THE PROBLEM :
Java Web Start shows security warning dialog for signed and unsigned unsafe code combination, even thoug no unsigned code is involved but several code signing certificates involed.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Create a jnlp-File with at least one jar-File refer by jar tag and at least one jar-File refer by extension tag.
e.g.:
 
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.5+" ...>
    ...
    <resources>
        <jar href="pathToMain/Main.jar"
                version="3.1-build23" main="true"

        <jar href="portal/Contrib-cryptix-jce-api-2009.jar"
                version="2005-03-28"/>

        <extension name="Contrib-cryptix-jce-provider.jar"
                             href="local/Contrib-cryptix-jce-provider.jnlp"/>
    </resources>
    ....
</jnlp>

Sign jar-File refer by jar tag with another certificate as jar-File refer by extension tag. Start web start application and see wrong security warning.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
no security warning
ACTUAL -
security warning

REPRODUCIBILITY :
This bug can be reproduced always.

Release Regression From : 6u19
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.
Comments
The test case for this 3+1/2 year old bug no longer exists, I am closing as not reproducible, If similar problems can be demonstrated with modern builds of java we will just open new issues.
12-02-2014
EVALUATION The testcase has been hosted at: http://portal.incore.de/testCase_6967410.jnlp The initial evaluation is that all jar files look like have been signed, but some class file in one jar file may calling into class in another jar file. It looks like a special case which mixed code feature didn't handle correctly, but more investigation and debug need to be done. This is an issue happened since JRE 6u19, due to JDK7 deadline, I would ask for the deferal from JDK7 to next release.
05-05-2011