JDK-8029788 : Certificate validation - java.lang.ClassCastException
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8
  • Priority: P1
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2013-12-08
  • Updated: 2017-12-21
  • Resolved: 2013-12-17
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9 Other
8 b122Fixed 9Fixed openjdk7uFixed
Related Reports
Duplicate :  
Duplicate :  
Relates :  
Description
It appears to be a regression in JRE8-b119 as signed applet failed to load due to certificate validation failure. 
The issue caused by  java.lang.ClassCastException: com.sun.deploy.security.X509CertificateWrapper cannot be cast to sun.security.x509.X509CertImpl

The same applet loaded fine if using JRE8-b118 

*** Tested Configurations
- x86 Win7
- IE 9, FF 25 ,GC 31
- jre 8-b118, b119

*** Steps to reproduce:
0) Install jre 8-b119
1) Enable the certificate revocation checks by default 
2) Use any browser to load the signed test applet:
http://www.oxygenxml.com/demo/AuthorDemoApplet/author-component-dita.html

Wait for applet resources to download and at the end, if you see the certificate validation failed due to java.lang.ClassCastException: com.sun.deploy.security.X509CertificateWrapper cannot be cast to sun.security.x509.X509CertImpl, the issue is reproducible

The problem does not occur if using jre 8-b118 
Comments
RULE closed/java/security/cert/CertPathValidator/OCSP/ValidateUsingOCSPCache.java Exception java.lang.ClassCastException: X509CertificateWrapper cannot be cast to sun.security.x509.X509CertImpl
14-01-2014

java/security/cert/CertPathValidator/OCSP/ValidateUsingOCSPCache.java have passed since B122
10-01-2014

Oralce Forms reported the same issue - Steps to Reproduce (be specific): 1)Install the latest JDK8 Buld 120 on windows 7. 2)Run the below given URL:- http://adc2180645.us.oracle.com:8888/forms/frmservlet. 3)An application Blocked security warning is displayed as "Falied to validate certificate and the application will not be executed".On clicking More Information button you can see the below exception list: java.lang.ClassCastException: com.sun.deploy.security.X509CertificateWrapper cannot be cast to sun.security.x509.X509CertImpl at sun.security.provider.certpath.OCSPResponse.verify(Unknown Source) at sun.security.provider.certpath.OCSP.check(Unknown Source) at sun.security.provider.certpath.OCSP.check(Unknown Source) at sun.security.provider.certpath.OCSP.check(Unknown Source) at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source) at com.sun.deploy.security.RevocationChecker.check(Unknown Source) at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source) at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source) at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source) at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.getTrustedCodeSources(Unknown Source) at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source) at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source) at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source) at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source) at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source) at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source) at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source) at java.lang.Thread.run(Unknown Source) 4)On Clicking the OK button an application error is thrown which states that "User has denied the privileges to the code".Please refer attachment "JDK8_B120.jpg" attached with the same mail.
23-12-2013

Release team: Approved for fixing
17-12-2013

Affected tests: JawsOcspAndCrlCheckTest::testWholeChainValidCheckWholeJNLP
13-12-2013

SQE approves this critical request. This is a regression. The regression test coverage is good.
12-12-2013

This issue will happen on Windows 7 SP1 x86 and Windows 8 x64 using jre8b119 for plugin entrustScenarios/ClassicPreserve entrustScenarios/ClassicReplace entrustScenarios/Toolkit oraclePreTrustedCertManualScenarios/testJavaRemovalApplet
11-12-2013

This issue will happen on Windows 8.1 x64,Windows 7 SP1 x86,Ubuntu 12.04 x86 and Mac OS 10.8 (x64) using jre8b119 for applet set3/jgames_ChineseChecker set3/jgames_Middoploy set3/jgames_NavyBattle
11-12-2013

The problem is in OCSPResponse.verify: certs.add((X509CertImpl) issuerCert); We incorrectly assume the certificate is an instanceof X509CertImpl. Since these internal APIs are called by deployment code which passes in their own subclass of X509Certificate, that is not always true. The fix is to use X509CertImpl.toImpl() to first convert it to an X509CertImpl.
09-12-2013

All applets/applications using CRL/OCSP are failing(including Entrust test applets) due to this bug and everything works fine if I disable the OCSP/CRL check.
09-12-2013

Exception details: java.lang.ClassCastException: com.sun.deploy.security.X509CertificateWrapper cannot be cast to sun.security.x509.X509CertImpl at sun.security.provider.certpath.OCSPResponse.verify(Unknown Source) at sun.security.provider.certpath.OCSP.check(Unknown Source) at sun.security.provider.certpath.OCSP.check(Unknown Source) at sun.security.provider.certpath.OCSP.check(Unknown Source) at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source) at com.sun.deploy.security.RevocationChecker.check(Unknown Source) at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source) at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source) at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source) at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source) at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source) at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source) at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source) at sun.plugin2.applet.JNLP2Manager.prepareLaunchFile(Unknown Source) at sun.plugin2.applet.JNLP2Manager.loadJarFiles(Unknown Source) at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source) at java.lang.Thread.run(Unknown Source) - trace file attached
09-12-2013

I do not think deploy integrated anything in b119. Wonder if something changed in jre. what's the full stack trace ?
09-12-2013