JDK-8132011 : OCSP revocation checking with autoproxy fails with NPE
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 8u51
  • Priority: P3
  • Status: Resolved
  • Resolution: Cannot Reproduce
  • OS: windows_7
  • CPU: x86
  • Submitted: 2015-07-20
  • Updated: 2016-03-08
  • Resolved: 2016-03-08
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 9
9Resolved
Related Reports
Duplicate :  
Description
FULL PRODUCT VERSION :
java version "1.8.0_51"
Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Windows 7 Professional SP1

EXTRA RELEVANT SYSTEM CONFIGURATION :
Internet access only via proxy server.
Internet Explorer 11.
Configured with auto proxy (proxy PAC)
Java Control Panel network settings configured to use browser settings. 
Webstart application hosted on a local server (not internet), i.e. does not require proxy access.

A DESCRIPTION OF THE PROBLEM :
We have a Java webstart application which has been digitally signed with a trusted certificate (Entrust). The certificate has an OCSP revocation url http://ocsp.entrust.net, which is hosted on the internet and will require access via a proxy server.

Downloading and starting the application performs a certificate revocation check (OCSP). This check fails with a NullPointerException, resulting in the application failing to start with an on-screen message "Failed to validate certificate." 

Previously reported as https://bugs.openjdk.java.net/browse/JDK-8074258 (closed)

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. From a client PC that has no direct access to the internet.
2. Configure default browser to use an auto-proxy file, not configured directly with a proxy address.
3. Update Network Settings in Java Control Panel to use broswer settings
4. Ensure Java Control Panel advanced settings are set for revocation checks:
  a) Check for signed code certificate revocation using "Both CRLs and OCSP"
  b) Perform signed code certificate revocation checks on "All certificates in the chain of trust"
5. Run a JNLP application which is signed with a trusted certificate. 

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Application downloads, verifies and starts. 
ACTUAL -
Application downloads and fails to verify the certificate.
Webstart message displayed: "Failed to validate certificate. The application will not be executed.". Clicking the More Information button displays the Exception stack trace:

java.lang.NullPointerException
	at com.sun.deploy.net.proxy.DeployProxySelector.select(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection$6.run(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection$6.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.AccessController.doPrivileged(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.access$100(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection$8.run(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection$8.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.AccessController.doPrivileged(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
	at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
	at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
	at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
	at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
	at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
	at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
	at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
	at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.launch(Unknown Source)
	at com.sun.javaws.Main.launchApp(Unknown Source)
	at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
	at com.sun.javaws.Main.access$000(Unknown Source)
	at com.sun.javaws.Main$1.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

ERROR MESSAGES/STACK TRACES THAT OCCUR :
Extracts from javaws trace log:

Log started: Mon, 20 Jul 2015 10:52:49 +0100
Java Web Start 11.51.2.16
Using JRE version
 1.8.0_51-b16 Java HotSpot(TM) Client VM
basic: Java part started
basic: jnlpx.jvm: C:\Program Files (x86)\Java\jre1.8.0_51\bin\javaw.exe
basic: jnlpx.splashport: 56943
basic: jnlpx.remove: true
basic: jnlpx.heapsize: null
network: Loading user-defined proxy configuration ...
network: Done.
network: Browser is IE.HTTP
network: Browser is IE
network: Loading proxy configuration from Internet Explorer ...
network:     Auto config URL: http://pac.exacc.com
network: Done.
network: Loading auto proxy configuration ...
cache: CacheEntry IP mismatch: 10.182.94.53 != 10.183.42.14
network: Cache entry not found [url: http://pac.exacc.com/, version: null]
network: Downloading auto proxy file from http://pac.exacc.com
network: Downloading resource: http://pac.exacc.com
	Content-Length: 17,894
	Content-Encoding: null
network: Wrote URL http://pac.exacc.com to File C:\Users\rl\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\59225f35-105fe20f-temp
cache: Adding MemoryCache entry: http://pac.exacc.com/
network: Done.
ui: missing resource: java.util.MissingResourceException: Can't find resource for bundle com.sun.deploy.resources.Deployment, key Proxy Configuration: Automatic Proxy Configuration
     URL: http://pac.exacc.com
network: Proxy Configuration: Automatic Proxy Configuration
     URL: http://pac.exacc.com
basic: Using Cp1252 to encode arguments.
basic: Running JVMParams: [JVMParameters: isSecure: true, args: "-Djava.security.debug=certpath" "-Xmx64m"]
	-> [JVMParameters: isSecure: true, args: "-Djava.security.debug=certpath"]
network: Created version ID: 1.6.0.45
network: Created version ID: 1.6
...

...
security: The OCSP support is enabled
security: The CRL support is enabled
certpath: connecting to OCSP service at: http://ocsp.entrust.net
java.lang.IllegalArgumentException: port out of range:-1
	at java.net.InetSocketAddress.checkPort(Unknown Source)
	at java.net.InetSocketAddress.<init>(Unknown Source)
	at com.sun.deploy.net.proxy.DynamicProxyManager$1.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at com.sun.deploy.net.proxy.DynamicProxyManager.getProxy(Unknown Source)
	at com.sun.deploy.net.proxy.DynamicProxyManager.getProxyList(Unknown Source)
	at com.sun.deploy.net.proxy.DeployProxySelector.select(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection$6.run(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection$6.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.AccessController.doPrivileged(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.access$100(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection$8.run(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection$8.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.security.AccessController.doPrivileged(Unknown Source)
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at sun.security.provider.certpath.OCSP.check(Unknown Source)
	at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
	at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
	at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
	at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
	at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
	at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
	at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
	at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
	at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.launch(Unknown Source)
	at com.sun.javaws.Main.launchApp(Unknown Source)
	at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
	at com.sun.javaws.Main.access$000(Unknown Source)
	at com.sun.javaws.Main$1.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
cache: Cancel delay cleanup: URL: http://rjj3:5000/GUI/images/ApplicationIcon.gif | C:\Users\lambertonr\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\7d3838e5-4f8a7e11.idx
cache: registerReference: com.sun.deploy.cache.MemoryCache$CachedResourceReference@88add689: 2
cache: registerReference: com.sun.deploy.cache.MemoryCache$CachedResourceReference@88add689: 3
...

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
1. Disable OCSP revocation check in the Java control panel.
or
2. Change the Network Settings in the Java Control Panel to manually specify the proxy server instead of using the browser settings. 


Comments
This is a duplicate of JDK-8061648 which has a fix for this issue with JRE version 8u25 and above. - Report indicates failure with NPE for JRE version 8u51. - However, I couldn't reproduce this issue as stated with JRE 8u51 (followed exact steps as in the report). Still, moving this up for further review.
21-07-2015