JDK-7197652 : Impossible to run any signed JNLP applications or applets, OCSP off by default
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7,7u7,8
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: generic,windows_7
  • CPU: generic,x86
  • Submitted: 2012-09-11
  • Updated: 2015-10-14
  • Resolved: 2012-12-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7 JDK 8
6u95Fixed 7u10Fixed 8Resolved
Related Reports
Duplicate :  
Relates :  
Relates :  
Description
FULL PRODUCT VERSION :
Java 1.7 update 7

ADDITIONAL OS VERSION INFORMATION :
Windows 7 64 bits

A DESCRIPTION OF THE PROBLEM :
OSCP was enabled by default until Java 1.6. Now, it is disabled by default. When I try to run a signed applet or a signed application, it simply fails.

REGRESSION.  Last worked in version 6u31

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Go to http://jogamp.org/deployment/jogamp-current/jogl-demos/jogl-newt-applet-runner-gears.html

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The famous Gears demo works.
ACTUAL -
You can see the actual result here: http://forum.jogamp.org/file/n4026082/jogamp-cert-key-7.png

Someone else has a similar problem with SKT editor here: http://www.java.net/forum/topic/jdk/java-se-snapshots-project-feedback/os-x-jdk-7u6-will-not-run-signed-jnlp-apps



ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at com.sun.deploy.security.TrustDecider.doCheckRevocationStatus(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Thread.java:722)
Caused by: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at sun.security.provider.certpath.OCSPResponse.verifyResponse(OCSPResponse.java:541)
at sun.security.provider.certpath.OCSPResponse.(OCSPResponse.java:494)
at sun.security.provider.certpath.OCSP.check(OCSP.java:261)
at sun.security.provider.certpath.OCSP.check(OCSP.java:165)
at sun.security.provider.certpath.OCSP.check(OCSP.java:130)
at com.sun.deploy.security.TrustDecider.doOCSPEEValidation(Unknown Source)
... 16 more
Caused by: java.security.InvalidKeyException: Wrong key usage
at java.security.Signature.initVerify(Signature.java:490)
at sun.security.provider.certpath.OCSPResponse.verifyResponse(OCSPResponse.java:524)
... 21 more

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
https://github.com/sgothel/jogl-demos/blob/master/src/demos/gears/Gears.java
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Open the Java Control Panel and go to System Preferences > Other > Java > Advanced > "Enable online certificate validation" (the end users should not have to do this by default, it is really annoying).

Comments
EVALUATION Address the root cause. The root cause is described in CR 7197652.
20-09-2012

WORK AROUND Open the Java Control Panel and go to System Preferences > Other > Java > Advanced > "Enable online certificate validation" or In the deployment.properties file set deployment.security.validation.ocsp=true
18-09-2012