JDK-8000280 : Impossible to run any signed JNLP applications or applets, OCSP off by default
  • Type: Backport
  • Backport of: JDK-7197652
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7,7u7,8
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2012-10-01
  • Updated: 2013-09-12
  • Resolved: 2012-10-02
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7
7u10 b12Fixed
Description
FULL PRODUCT VERSION :
Java 1.7 update 7

ADDITIONAL OS VERSION INFORMATION :
Windows 7 64 bits

A DESCRIPTION OF THE PROBLEM :
OSCP was enabled by default until Java 1.6. Now, it is disabled by default. When I try to run a signed applet or a signed application, it simply fails.

REGRESSION.  Last worked in version 6u31

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Go to http://jogamp.org/deployment/jogamp-current/jogl-demos/jogl-newt-applet-runner-gears.html

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The famous Gears demo works.
ACTUAL -
You can see the actual result here: http://forum.jogamp.org/file/n4026082/jogamp-cert-key-7.png

Someone else has a similar problem with SKT editor here: http://www.java.net/forum/topic/jdk/java-se-snapshots-project-feedback/os-x-jdk-7u6-will-not-run-signed-jnlp-apps



ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at com.sun.deploy.security.TrustDecider.doCheckRevocationStatus(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Thread.java:722)
Caused by: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at sun.security.provider.certpath.OCSPResponse.verifyResponse(OCSPResponse.java:541)
at sun.security.provider.certpath.OCSPResponse.(OCSPResponse.java:494)
at sun.security.provider.certpath.OCSP.check(OCSP.java:261)
at sun.security.provider.certpath.OCSP.check(OCSP.java:165)
at sun.security.provider.certpath.OCSP.check(OCSP.java:130)
at com.sun.deploy.security.TrustDecider.doOCSPEEValidation(Unknown Source)
... 16 more
Caused by: java.security.InvalidKeyException: Wrong key usage
at java.security.Signature.initVerify(Signature.java:490)
at sun.security.provider.certpath.OCSPResponse.verifyResponse(OCSPResponse.java:524)
... 21 more

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
https://github.com/sgothel/jogl-demos/blob/master/src/demos/gears/Gears.java
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Open the Java Control Panel and go to System Preferences > Other > Java > Advanced > "Enable online certificate validation" (the end users should not have to do this by default, it is really annoying).

Comments
Fixed in 7u10 The Security Warning with the message will no longer be seen related to this bug starting with 7u10: The publisher cannot be verified by a trusted source. Code will be treated as unsigned. java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
17-12-2012