JDK-4775420 : REGRESSION: Signed applet fails only on JRE 1.3.1_06
  • Type: Bug
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 1.3.1_06
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2002-11-07
  • Updated: 2003-03-18
  • Resolved: 2003-03-18
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other Other
1.3.1_08 08Fixed 1.4.1_03Fixed
Related Reports
Relates :  
JDK-4780497 - REGRESSION: 1.4.1_01 signed applets don't work anymore
Description
Name: gm110360			Date: 11/07/2002


FULL PRODUCT VERSION :
java version "1.3.1_06"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.1_06-b01)
Java HotSpot(TM) Client VM (build 1.3.1_06-b01, mixed mode)

FULL OPERATING SYSTEM VERSION :

Microsoft Windows XP [Version 5.1.2600]

EXTRA RELEVANT SYSTEM CONFIGURATION :
I am using IE 6.0.

A DESCRIPTION OF THE PROBLEM :
Applets signed with a Versign digital certificate will
throw an AccessControlException when using JRE 1.3.1_06.
I've tested applets on JRE 1.3.1_04, JRE 1.3.1_05 and they
ran without any problems.

When attempting to launch a signed applet, JRE 1.3.1_06
will not display the "Java Plug-in Security Warning"
dialog that allows user to grant or deny permission.

Please contact me if you would like a sample jar file that
has been digitally signed with our certificate.

REGRESSION.  Last worked in version 1.3.1

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1.  Install JRE 1.3.1_06
2.  Create a simple applet that requires a digital
signature (e.g. accesses the file system.)
3.  Compile the applet.
4.  Jar the class.
5.  Digitally sign the jar file.
6.  Create a simple HTML page with APPLET tag.
7.  Launch HTML page with Internet Explorer.
8.  Applet should throw AccessControlException in console.
9.  Repeat steps with JRE 1.3.1_05 and applet will not
fail.

EXPECTED VERSUS ACTUAL BEHAVIOR :
Expected to receive "Java Plug-in Security Warning"
dialog.  However, received an AccessControlException.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.AccessControlException: access denied
(java.util.PropertyPermission user.home read)

	at java.security.AccessControlContext.checkPermission(Unknown Source)

	at java.security.AccessController.checkPermission(Unknown Source)

	at java.lang.SecurityManager.checkPermission(Unknown Source)

	at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)

	at java.lang.System.getProperty(Unknown Source)

	at TestApplet.init(TestApplet.java:11)

	at sun.applet.AppletPanel.run(Unknown Source)

	at java.lang.Thread.run(Unknown Source)



REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import java.awt.*;
import java.awt.event.*;
import java.applet.*;
import javax.swing.*;
import java.io.*;

/**
 * Simple applet that reads the files in the user's home directory.
 */
public class TestApplet extends JApplet
{
    public void init()
    {
        String userHomePath = System.getProperty("user.home");
        File userHomeDirectory = new File(userHomePath);
        File f[] = userHomeDirectory.listFiles();
        String str = new String();
        for (int i = 0; i < f.length; i++)
        {
            str = str + f[i].getName();
            str = str + ",";
        }

        JLabel jLabel1 = new JLabel();
        jLabel1.setText(str);
        setSize(new Dimension(400,300));
        getContentPane().add(jLabel1, BorderLayout.CENTER);
    }
}

********************
****  HTML Code ****
********************

<HTML>
	<APPLET CODE="TestApplet" ARCHIVE="Test.jar" WIDTH="200" HEIGHT="200">
	</applet>
</html>


---------- END SOURCE ----------
(Review ID: 166760) 
======================================================================

Fri Nov 08 11:59:22 MST 2002	gmanwani
Comments
CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: 1.3.1_08 1.4.1_03 FIXED IN: 1.3.1_08 1.4.1_03 INTEGRATED IN: 1.3.1_08 1.4.1_03
14-06-2004
EVALUATION Reassign to CTE team. ###@###.### 2002-11-15 ------------------------------------------------- This bug is due to the fix for bug 4735737 - Fix certificate-chain validation. The fix for 4735737 checks if the certificate entries are valid. For an invalid certificate, it just silently denies the permissions of the applet. A subsequent bug 4766835 (security warning dialog should be popped up for invalid certificate) had been filed for warning the user regarding invalid certificate. The fix for 4766835 is already in mantis and should be backported to previous update releases which contain the fix for 4735737. I've signed the test applet with a valid Sun certificate and it ran successfully with jre 1.3.1_05 and 1.3.1_07. Since the integration of fix for 4735737 in 1.3.1_06, self-signed certificate won't be considered as a valid certificate. ###@###.### 2003-01-08 --------------------------------------------------- To fix the bug, we should skip the extensions check for the last certificate in the certificate chain. In TrustDecider.java, I've made the following additional change: from: if (rootStore.contains(currentCert) == false) to: if (rootStore.contains(currentCert) == false && (i+1) != certs.length && isIssuerOf(currentCert, issuerCert)) For 1.3.1_08, I backported fix for 4766835 plus the changes mentioned above. Webrev at: http://jpsesvr.sfbay.sun.com:8080/ctetools/servlet/sun.cte.codeMngt.ViewDetail?op=view&id=551 ###@###.### 2003-02-13 I've backported the fix for 4780497 into 1.4.1_03 which also fixes this problem. ###@###.### 2003-03-11
13-02-2003