A multiple click dialog saying "Unable to ensure the certificate used to identify this application has not been revoked" should show up when no ocsp and crl infor in cert or cert only contains crl info but the only crl info is not valid. And after accept it, app should get loaded. But with 8u20, a blocked dialog with message "StatusUnknownException: Certificate does not specify OCSP responder" will show up. Steps to reproduce: 1 Install jre8u20#b00_2014-05-14-0234_339(http://rehudson.us.oracle.com/nightlyws/jdk8u20-deploy/b00_2014-05-14-0234_339/bundles/) 2 Enable OCSP and CRL check from JCP 3 Import root ca cacert.pem to JRE_HOME/lib/security/cacerts to have a valid trusted cert: keytool -import -file cacert.pem -keystore JAVA_HOME/lib/security/cacerts -storepass changeit -alias cakey cacert.pem: http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/JawsOcspAndCrlCheck/lib/cacert.pem 4 Run app signed with a cert which doesn't contain ocsp and crl info in it: javaws http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/JawsOcspAndCrlCheck/jnlp/testOCSPAndCRLEnabledAIAOnlyCACertJNLP.jnlp 5. If a blocked dialog with title "Application Blocked for Security" show up(See attachment 8u20.png), then this bug is reproduced. In more information, it shows: com.sun.deploy.security.RevocationChecker$StatusUnknownException: Certificate does not specify OCSP responder at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source) at com.sun.deploy.security.RevocationChecker.check(Unknown Source) at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source) at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source) at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source) at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source) at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source) at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source) at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source) at com.sun.javaws.Launcher.prepareResources(Unknown Source) at com.sun.javaws.Launcher.prepareAllResources(Unknown Source) at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source) at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source) at com.sun.javaws.Launcher.launch(Unknown Source) at com.sun.javaws.Main.launchApp(Unknown Source) at com.sun.javaws.Main.continueInSecureThread(Unknown Source) at com.sun.javaws.Main.access$000(Unknown Source) at com.sun.javaws.Main$1.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source) ... 18 more Note: No such issue for 8u5-b13 and 8u11-b05: a multiple click dialog will show up. See attachment 8u5.png
|