JDK-7197652 : Impossible to run any signed JNLP applications or applets, OCSP off by default
- Type: Bug
- Component: security-libs
- Sub-Component: java.security
- Affected Version: 7,7u7,8
- Priority: P2
- Status: Closed
- Resolution: Fixed
- OS: generic,windows_7
- CPU: generic,x86
- Submitted: 2012-09-11
- Updated: 2015-10-14
- Resolved: 2012-12-13
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 6 | JDK 7 | JDK 8 |
|---|---|---|
| 6u95Fixed | 7u10Fixed  |
8Resolved |
Related Reports
|
Duplicate :
|
|
|
Relates :
|
|
|
Relates :
|
Description
FULL PRODUCT VERSION : Java 1.7 update 7 ADDITIONAL OS VERSION INFORMATION : Windows 7 64 bits A DESCRIPTION OF THE PROBLEM : OSCP was enabled by default until Java 1.6. Now, it is disabled by default. When I try to run a signed applet or a signed application, it simply fails. REGRESSION. Last worked in version 6u31 STEPS TO FOLLOW TO REPRODUCE THE PROBLEM : Go to http://jogamp.org/deployment/jogamp-current/jogl-demos/jogl-newt-applet-runner-gears.html EXPECTED VERSUS ACTUAL BEHAVIOR : EXPECTED - The famous Gears demo works. ACTUAL - You can see the actual result here: http://forum.jogamp.org/file/n4026082/jogamp-cert-key-7.png Someone else has a similar problem with SKT editor here: http://www.java.net/forum/topic/jdk/java-se-snapshots-project-feedback/os-x-jdk-7u6-will-not-run-signed-jnlp-apps ERROR MESSAGES/STACK TRACES THAT OCCUR : java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage at com.sun.deploy.security.TrustDecider.doCheckRevocationStatus(Unknown Source) at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source) at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source) at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source) at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source) at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source) at com.sun.javaws.Launcher.prepareResources(Unknown Source) at com.sun.javaws.Launcher.prepareAllResources(Unknown Source) at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source) at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source) at com.sun.javaws.Launcher.launch(Unknown Source) at com.sun.javaws.Main.launchApp(Unknown Source) at com.sun.javaws.Main.continueInSecureThread(Unknown Source) at com.sun.javaws.Main.access$000(Unknown Source) at com.sun.javaws.Main$1.run(Unknown Source) at java.lang.Thread.run(Thread.java:722) Caused by: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage at sun.security.provider.certpath.OCSPResponse.verifyResponse(OCSPResponse.java:541) at sun.security.provider.certpath.OCSPResponse.(OCSPResponse.java:494) at sun.security.provider.certpath.OCSP.check(OCSP.java:261) at sun.security.provider.certpath.OCSP.check(OCSP.java:165) at sun.security.provider.certpath.OCSP.check(OCSP.java:130) at com.sun.deploy.security.TrustDecider.doOCSPEEValidation(Unknown Source) ... 16 more Caused by: java.security.InvalidKeyException: Wrong key usage at java.security.Signature.initVerify(Signature.java:490) at sun.security.provider.certpath.OCSPResponse.verifyResponse(OCSPResponse.java:524) ... 21 more REPRODUCIBILITY : This bug can be reproduced always. ---------- BEGIN SOURCE ---------- https://github.com/sgothel/jogl-demos/blob/master/src/demos/gears/Gears.java ---------- END SOURCE ---------- CUSTOMER SUBMITTED WORKAROUND : Open the Java Control Panel and go to System Preferences > Other > Java > Advanced > "Enable online certificate validation" (the end users should not have to do this by default, it is really annoying).
Comments
|