Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8026002

Certificate based DRS rule does not work when main jar is in nested resource block or extension

    Details

    • Subcomponent:
    • Resolved In Build:
      b04
    • CPU:
      x86
    • OS:
      windows_7
    • Verification:
      Not verified

      Backports

        Description

        J2SE Version (please include all output from java -version flag):
           7U45 and 7U40

        java version "1.7.0_40"
           Java(TM) SE Runtime Environment (build 1.7.0_40-b43)
            HotSpot(TM) 64-Bit Server VM (build 24.0-b56, mixed mode)

        Does this problem occur on J2SE 6ux or 7ux? Yes / No (pick one)
           N/A
          

        Operating System Configuration Information (be specific):
           Window 7 x64

        Hardware Configuration Information (be specific):
           Various


        Bug Description:

        Not be able to get a certificate rule to work in a DeploymentRuleSet. Had tried many variations, and none have worked. Was emulating the example shown here:
            https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets

        The docs say that only SHA256 is supported now, and that the colons should be stripped. All the examples have the hash in all upper case.

        Using a location rule works fine, but not the certificate ones. Originally tried to let the <action> be to run the application, but having it block made the testing a bit easier.

        The Java security dialog only gives the hash with SHA1, needed to go to the actual jar file to get the SHA256. The keytool command provides:

        Certificate fingerprints:
                 MD5: F1:6C:A8:50:8C:1D:FA:80:0D:56:F3:12:F7:FA:CA:B6
                 SHA1: D4:9D:87:31:A9:E8:5E:19:9E:B0:31:BF:A8:87:C2:9D:2E:C8:71:77
                 SHA256: 4E:81:86:EF:A9:01:D0:5F:8C:9B:B5:3A:70:C4:71:F6:58:E1:2A:D7:63:3C:86:4E:E3:77:A2:88:AA:23:AC:31
                 Signature algorithm name: SHA1withRSA
                 Version: 3

        The SHA1 hash matches the one shown in the security dialog, so it should be using the correct value.

        Steps to Reproduce (be specific):

        Use the DeploymentRuleSet on https://www.ocie.net/OcieDemo/JViewer/webstart.html and watch it not block the application


        1. ruleset.xml
          0.9 kB
          Ting-Yun Ingrid Yao

          Issue Links

            Activity

            Hide
            herrick Andy Herrick added a comment -
            Show
            herrick Andy Herrick added a comment - Crucible review: https://sthinfra10.se.oracle.com/cru/CR-JDK7UCPU-119
            Hide
            mwthomps Marty Thompson added a comment -
            request to include in 7u51, see Andy's comments
            Show
            mwthomps Marty Thompson added a comment - request to include in 7u51, see Andy's comments
            Hide
            pastepan Pavel Stepanov added a comment -
            SQE is OK to fix that in 7u51 assuming the fix comes before RDP2
            Show
            pastepan Pavel Stepanov added a comment - SQE is OK to fix that in 7u51 assuming the fix comes before RDP2
            Show
            xudwu Larry Wu (Inactive) added a comment - regression_test_src: http://sqe-hg.us.oracle.com/hg/index.cgi/testbase/javase/functional/8/deployment2/diff/5263a9fcc2c1/new_framework/tests/plugin/LSPJPI/src/LSPActionRunTest.java
            Hide
            fbasin Felix Basin (Inactive) added a comment -
            Closed due have no enough time to verify old bugs.
            Show
            fbasin Felix Basin (Inactive) added a comment - Closed due have no enough time to verify old bugs.

              People

              • Assignee:
                herrick Andy Herrick
                Reporter:
                tyao Ting-Yun Ingrid Yao (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved: