JDK-8043582 : App gets blocked instead of showing multiple click dialog when no ocsp and crl info in certificate
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 8u20,8u25
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2014-05-21
  • Updated: 2014-07-29
  • Resolved: 2014-05-28
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9
8u20 b19Fixed 9Fixed
Description
A multiple click dialog saying "Unable to ensure the certificate used to identify this application has not been revoked" should show up when no ocsp and crl infor in cert or cert only contains crl info but the only crl info is not valid. And after accept it, app should get loaded.
But with 8u20, a blocked dialog with message "StatusUnknownException: Certificate does not specify OCSP responder" will show up.

Steps to reproduce:
1 Install jre8u20#b00_2014-05-14-0234_339(http://rehudson.us.oracle.com/nightlyws/jdk8u20-deploy/b00_2014-05-14-0234_339/bundles/)
2 Enable OCSP and CRL check from JCP
3 Import root ca cacert.pem to JRE_HOME/lib/security/cacerts to have a valid trusted cert:
keytool -import -file cacert.pem -keystore JAVA_HOME/lib/security/cacerts -storepass changeit -alias cakey
cacert.pem: http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/JawsOcspAndCrlCheck/lib/cacert.pem
4 Run app signed with a cert which doesn't contain ocsp and crl info in it:
javaws http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/JawsOcspAndCrlCheck/jnlp/testOCSPAndCRLEnabledAIAOnlyCACertJNLP.jnlp
5. If a blocked dialog with title "Application Blocked for Security" show up(See attachment 8u20.png), then this bug is reproduced. In more information, it shows:
com.sun.deploy.security.RevocationChecker$StatusUnknownException: Certificate does not specify OCSP responder
	at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
	at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
	at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
	at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
	at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
	at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
	at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
	at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
	at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.launch(Unknown Source)
	at com.sun.javaws.Main.launchApp(Unknown Source)
	at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
	at com.sun.javaws.Main.access$000(Unknown Source)
	at com.sun.javaws.Main$1.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
	Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
		at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
		... 18 more

Note: No such issue for 8u5-b13 and 8u11-b05: a multiple click dialog will show up. See attachment 8u5.png
Comments
Affected tests: FXOcspAndCrlCheckTest::testFailToAccessCerRevoSite_High FXOcspAndCrlCheckTest::testFailToAccessCerRevoSite_JNLP_High FXOcspAndCrlCheckTest::testFailToAccessCerRevoSite_SB_High FXOcspAndCrlCheckTest::testFailToAccessCerRevoSite_SB_JNLP_High FXOcspAndCrlCheckTest::testFailToAccessCerRevoSite_VeryHigh FXOcspAndCrlCheckTest::testFailToAccessCerRevoSite_JNLP_VeryHigh FXOcspAndCrlCheckTest::testFailToAccessCerRevoSite_SB_VeryHigh FXOcspAndCrlCheckTest::testFailToAccessCerRevoSite_SB_JNLP_VeryHigh OcspAndCrlCheckTest::testFailToAccessCerRevoSite_High OcspAndCrlCheckTest::testFailToAccessCerRevoSite_High_SB OcspAndCrlCheckTest::testFailToAccessCerRevoSite_JNLP_High OcspAndCrlCheckTest::testFailToAccessCerRevoSite_JNLP_High_SB OcspAndCrlCheckTest::testFailToAccessCerRevoSite_JNLP_Medium OcspAndCrlCheckTest::testFailToAccessCerRevoSite_JNLP_Medium_SB OcspAndCrlCheckTest::testFailToAccessCerRevoSite_Medium OcspAndCrlCheckTest::testFailToAccessCerRevoSite_Medium_SB OcspAndCrlCheckTest::testSoftFailAccessRevocation OcspAndCrlCheckTest::testSoftFailAccessRevocation_JNLP
23-05-2014

The example jnlp has no codebase, and non-fully qualified href's for jnlp file and jar resources, and will not work on jdk9. I posted modified jnlp file at: http://oklahoma.us.oracle.com/www/tests/1.9.0/8043582/ which includes the href and can reproduce the problem with JDK9. also note: Do not use instructions that as user to modify the jre's cacerts file ! instead either sign with a real cert, of ask user to use JCP to import the cert into the users "Signer CA" certificate store. The problem is caused by a typo in SecuritySettings.java: {" true", "false"}, /* revocation checker best effort (ok if cannot get) */ extra space in String: " true" makes it not equal to "true". The problem exists in JDK9 and 8u20 only, and is regression caused by https://bugs.openjdk.java.net/browse/JDK-8033389
22-05-2014

regression_test_src: http://sqe-hg.us.oracle.com/hg/index.cgi/testbase/javase/functional/8/deployment2/file/6ffc03bf89f6/new_framework/tests/javaws/JawsOcspAndCrlCheck/src/JawsOcspAndCrlCheckTest.java JawsOcspAndCrlCheckTest::testOCSPAndCRLEnabledAIAOnlyCACertJNLP
21-05-2014

Affected tests: JawsOcspAndCrlCheckTest::testCertLDAPInvalidCRLJNLP JawsOcspAndCrlCheckTest::testCertLDAPInvalidCRLSBJNLP JawsOcspAndCrlCheckTest::testCertLDAPNoCRLJNLP JawsOcspAndCrlCheckTest::testCertLDAPNoCRLSBJNLP JawsOcspAndCrlCheckTest::testOCSPAndCRLEnabledAIAOnlyCACertJNLP JawsOcspAndCrlCheckTest::testMultiJarValidCertDoubleSignOnlyB JawsOcspAndCrlCheckTest::testMultiJarValidCertDoubleSignOnlyB_SB
21-05-2014