Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-7197652

Impossible to run any signed JNLP applications or applets, OCSP off by default

    XMLWordPrintable

    Details

    • Subcomponent:
    • Introduced In Version:
      7u6
    • Resolved In Build:
      b08
    • CPU:
      generic, x86
    • OS:
      generic, windows_7
    • Verification:
      Verified

      Backports

        Description

        FULL PRODUCT VERSION :
        Java 1.7 update 7

        ADDITIONAL OS VERSION INFORMATION :
        Windows 7 64 bits

        A DESCRIPTION OF THE PROBLEM :
        OSCP was enabled by default until Java 1.6. Now, it is disabled by default. When I try to run a signed applet or a signed application, it simply fails.

        REGRESSION. Last worked in version 6u31

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Go to http://jogamp.org/deployment/jogamp-current/jogl-demos/jogl-newt-applet-runner-gears.html

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        The famous Gears demo works.
        ACTUAL -
        You can see the actual result here: http://forum.jogamp.org/file/n4026082/jogamp-cert-key-7.png

        Someone else has a similar problem with SKT editor here: http://www.java.net/forum/topic/jdk/java-se-snapshots-project-feedback/os-x-jdk-7u6-will-not-run-signed-jnlp-apps



        ERROR MESSAGES/STACK TRACES THAT OCCUR :
        java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
        at com.sun.deploy.security.TrustDecider.doCheckRevocationStatus(Unknown Source)
        at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
        at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
        at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
        at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
        at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
        at com.sun.javaws.Launcher.prepareResources(Unknown Source)
        at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
        at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
        at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
        at com.sun.javaws.Launcher.launch(Unknown Source)
        at com.sun.javaws.Main.launchApp(Unknown Source)
        at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
        at com.sun.javaws.Main.access$000(Unknown Source)
        at com.sun.javaws.Main$1.run(Unknown Source)
        at java.lang.Thread.run(Thread.java:722)
        Caused by: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
        at sun.security.provider.certpath.OCSPResponse.verifyResponse(OCSPResponse.java:541)
        at sun.security.provider.certpath.OCSPResponse.(OCSPResponse.java:494)
        at sun.security.provider.certpath.OCSP.check(OCSP.java:261)
        at sun.security.provider.certpath.OCSP.check(OCSP.java:165)
        at sun.security.provider.certpath.OCSP.check(OCSP.java:130)
        at com.sun.deploy.security.TrustDecider.doOCSPEEValidation(Unknown Source)
        ... 16 more
        Caused by: java.security.InvalidKeyException: Wrong key usage
        at java.security.Signature.initVerify(Signature.java:490)
        at sun.security.provider.certpath.OCSPResponse.verifyResponse(OCSPResponse.java:524)
        ... 21 more

        REPRODUCIBILITY :
        This bug can be reproduced always.

        ---------- BEGIN SOURCE ----------
        https://github.com/sgothel/jogl-demos/blob/master/src/demos/gears/Gears.java
        ---------- END SOURCE ----------

        CUSTOMER SUBMITTED WORKAROUND :
        Open the Java Control Panel and go to System Preferences > Other > Java > Advanced > "Enable online certificate validation" (the end users should not have to do this by default, it is really annoying).

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                vinnie Vincent Ryan
                Reporter:
                webbuggrp Webbug Group
                Votes:
                0 Vote for this issue
                Watchers:
                10 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:
                  Imported:
                  Indexed: