JDK-8024156 : DRS: The messaging for invalid rule set jar is not explicit.
  • Type: Bug
  • Component: deploy
  • Affected Version: 7u40,8
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2013-09-03
  • Updated: 2015-09-29
  • Resolved: 2015-01-12
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9
8u60 b01Fixed 9Fixed
Description
This might be a regression.
When the rule set file is signed with cert containing OCSP information, and it cannot connect to the OCSP server, it should still work as valid. Now it works as a wrong rule set file and block the applet.

Steps to reproduce:
1.Dowload http://sqeweb.us.oracle.com/deployment2/sheldon/webCases/PolicyFileValidation/policy_template/policy_publicRevoked.jar  and install it.
2.Disconnect from internet by unsetting proxy.
3.Launch the applet from http://sqeweb.us.oracle.com/deployment2/sheldon/webCases/PolicyFileValidation/html/hello_appletTag.html 
4.If it is blocked with "Cannot Verify RuleSet", bug is reproducible. It should get launched.

Also if the OCSP server is accessible, and the cert is revoked. it should come out with dialog "Certificate has been revoked". Now it is "Cannot Verify RuleSet".

Attachment are the trace for OCSP server accessible and inaccessible scenarios.



Comments
Crucible review: https://java.se.oracle.com/code/cru/CR-JDK9CLIENT-701
09-01-2015

ok - 1.) The first change is to not do revocation check for securitypack or DeploymentRuleSet jar if it it expired or selfsigned (already will block). This only requires extending TrustDecider.willBlock() to take a null drs and act appropriately. 2.) The second change is to propagate message to block rule when blocking for invalid DeploymentRuleSet.jar
09-01-2015

Since the jar is invalid, I suggest not to do OCSP check any more.
04-09-2013

The jar is invalid because its cert is expired, not because revocation checking results in status unknown. (you can see in the JCP view cert details expires July 13, 2013). The messaging clearly needs to be enhanced when DRS jar is invalid. in most cases the more detailed message (such as expired, revoked, blacklisted, or totally invalid cert) is never shown, The dialog only says "Cannot verify rule set jar", and in many cases, There is no proper Trace statement even to tell developer what the problem is. We should add another line to the Blocked Dialog stating reason we couldn't verify the rule set jar.
03-09-2013