JDK-8074258 : OCSP revocation checking with autoproxy fails with NPE
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 7u75
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_7
  • CPU: x86_64
  • Submitted: 2015-01-23
  • Updated: 2015-03-03
  • Resolved: 2015-03-03
Related Reports
Duplicate :  
Description
FULL PRODUCT VERSION :
java version "1.7.0_75"
Java(TM) SE Runtime Environment (build 1.7.0_75-b13)
Java HotSpot(TM) Client VM (build 24.75-b04, mixed mode, sharing)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]

EXTRA RELEVANT SYSTEM CONFIGURATION :
Internet access only via proxy server. 
Internet Explorer 10.
Configured with auto proxy (proxy PAC)
Java Control Panel network settings configured to use browser settings.

A DESCRIPTION OF THE PROBLEM :
We have a Java webstart application which has been digitally signed with a trusted certificate (Entrust). The certificate has an OCSP revocation url

 Downloading and starting the application performs a certificate revocation check (OCSP). This check fails with a NullPointerException, resulting in the application failing to start with an on-screen message "Failed to validate certificate."


ADDITIONAL REGRESSION INFORMATION: 
java version "1.7.0_75"
Java(TM) SE Runtime Environment (build 1.7.0_75-b13)
Java HotSpot(TM) Client VM (build 24.75-b04, mixed mode, sharing)

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. From a client PC that has no direct access to the internet.
2. Configure default browser to use an auto-proxy file, not configured directly with a proxy address.
3. Update Network Settings in Java Control Panel to use broswer settings
4. Ensure Java Control Panel advanced settings are set for revocation checks:
  a) Check for signed code certificate revocation using "Both CRLs and OCSP"
  b) Perform signed code certificate revocation checks on "All certificates in the chain of trust"
5. Run a JNLP application which is signed with a trusted certificate.


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Application downloads, verifies and starts.
ACTUAL -
Application downloads and fails to verify the certificate.
Webstart message displayed: "Failed to validate certificate. The application will not be executed.". Clicking the More Information button displays the Exception stack trace.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
Stack trace details:

java.lang.NullPointerException
	at com.sun.deploy.net.proxy.DeployProxySelector.select(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
	at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
	at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
	at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
	at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
	at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
	at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
	at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
	at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.launch(Unknown Source)
	at com.sun.javaws.Main.launchApp(Unknown Source)
	at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
	at com.sun.javaws.Main.access$000(Unknown Source)
	at com.sun.javaws.Main$1.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)


REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
1. Disable OCSP revocation check in the Java control panel.
or
2. Change the Network Settings in the Java Control Panel to manually specify the proxy server instead of using the browser settings.


Comments
Most likely, the problem should go away with the fix from JDK-8061648.
27-01-2015