Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8042622

Check for CRL results in IllegalArgumentException "white space not allowed"

    Details

    • Subcomponent:
    • Resolved In Build:
      b12
    • CPU:
      x86
    • OS:
      windows_8

      Backports

        Description

        FULL PRODUCT VERSION :
        Under Trusty Thar 64bit:
        Java(TM) SE Runtime Environment (build 1.8.0-b132)
        Java HotSpot(TM) 64-Bit Server VM (build 25.0-b70, mixed mode)

        Under Windows 8.1:

        java version "1.8.0_05"
        Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
        Java HotSpot(TM) Client VM (build 25.5-b02, mixed mode)


        ADDITIONAL OS VERSION INFORMATION :
        Following were tested: Windows 8.1, Linux 64bit (Ubuntu Trusty, Ubuntu Precise)

        EXTRA RELEVANT SYSTEM CONFIGURATION :
        The Certificate used is from startssl, it's properly imported into the system keystore (just visit https://oashi.com with IE, it will import it silently).

        A DESCRIPTION OF THE PROBLEM :
        Every once in a while the certificate check fails with the following stacktrace:

        java.lang.IllegalArgumentException: white space not allowed
        at java.net.URLPermission.normalizeHeaders(URLPermission.java:401)
        at java.net.URLPermission.init(URLPermission.java:189)
        at java.net.URLPermission.<init>(URLPermission.java:166)
        at sun.net.www.protocol.http.HttpURLConnection.URLtoSocketPermission(HttpURLConnection.java:1031)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1424)
        at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
        at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
        at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
        at com.sun.deploy.cache.DeployCacheHandler.get(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1048)
        at sun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:987)
        at sun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:985)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.AccessController.doPrivileged(AccessController.java:713)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:984)
        at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:931)
        at sun.net.www.protocol.http.HttpURLConnection.followRedirect0(HttpURLConnection.java:2648)
        at sun.net.www.protocol.http.HttpURLConnection.access$300(HttpURLConnection.java:90)
        at sun.net.www.protocol.http.HttpURLConnection$12.run(HttpURLConnection.java:2565)
        at sun.net.www.protocol.http.HttpURLConnection$12.run(HttpURLConnection.java:2563)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.AccessController.doPrivileged(AccessController.java:713)
        at sun.net.www.protocol.http.HttpURLConnection.followRedirect(HttpURLConnection.java:2562)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1768)
        at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:90)
        at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1431)
        at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1429)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.AccessController.doPrivileged(AccessController.java:713)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1428)
        at sun.security.provider.certpath.URICertStore.engineGetCRLs(URICertStore.java:396)
        at java.security.cert.CertStore.getCRLs(CertStore.java:181)
        at sun.security.provider.certpath.DistributionPointFetcher.getCRL(DistributionPointFetcher.java:246)
        at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:190)
        at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:122)
        at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:79)
        at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
        at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
        at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
        at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
        at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
        at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)

        As you can see, it fails on the way to get the CRL from http://www.startssl.com/sfsca.crl, which returns a 301 and forwards the request to http://crl.startssl.com/sfsca.crl

        After adding some debug code into the classes involved, it seems to stumble upon parsing the request headers after the forward, so the URLPermission class gets the String "GET:accept-encoding,User-Agent,UA-Java-Version,GET /sfsca.crl HTTP/1.1,Accept" as actions within the constuctor, on which it fails.

        What I can't tell at the moment is why it sometimes succeeds. As I don't have the source code for the com.sun.deploy classes, I can't tell where it comes from.

        As neither Java6 nor Java7 expose this behaviour and the URLs passed around by the Startssl servers, I would declare this a bug.

        If further help is needed, I will assist.

        REGRESSION. Last worked in version 7u51

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Under Windows, first visit https://oashi.com to silently import the startssl certs.

        Then, visit this URL:

        https://m.oashi.com/deploy/Solstice.jnlp

        When the logon prompt appears, just cancel it. Retry until it fails (mostly within the first to third try).

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        Logon prompt
        ACTUAL -
        Failure to verify the certificate

        ERROR MESSAGES/STACK TRACES THAT OCCUR :
        java.lang.IllegalArgumentException: white space not allowed
        at java.net.URLPermission.normalizeHeaders(URLPermission.java:401)
        at java.net.URLPermission.init(URLPermission.java:189)
        at java.net.URLPermission.<init>(URLPermission.java:166)
        at sun.net.www.protocol.http.HttpURLConnection.URLtoSocketPermission(HttpURLConnection.java:1031)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1424)
        at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
        at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
        at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
        at com.sun.deploy.cache.DeployCacheHandler.get(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1048)
        at sun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:987)
        at sun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:985)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.AccessController.doPrivileged(AccessController.java:713)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:984)
        at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:931)
        at sun.net.www.protocol.http.HttpURLConnection.followRedirect0(HttpURLConnection.java:2648)
        at sun.net.www.protocol.http.HttpURLConnection.access$300(HttpURLConnection.java:90)
        at sun.net.www.protocol.http.HttpURLConnection$12.run(HttpURLConnection.java:2565)
        at sun.net.www.protocol.http.HttpURLConnection$12.run(HttpURLConnection.java:2563)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.AccessController.doPrivileged(AccessController.java:713)
        at sun.net.www.protocol.http.HttpURLConnection.followRedirect(HttpURLConnection.java:2562)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1768)
        at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:90)
        at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1431)
        at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1429)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.AccessController.doPrivileged(AccessController.java:713)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1428)
        at sun.security.provider.certpath.URICertStore.engineGetCRLs(URICertStore.java:396)
        at java.security.cert.CertStore.getCRLs(CertStore.java:181)
        at sun.security.provider.certpath.DistributionPointFetcher.getCRL(DistributionPointFetcher.java:246)
        at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:190)
        at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:122)
        at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:79)
        at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
        at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
        at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
        at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
        at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
        at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
        at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
        at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
        at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
        at com.sun.javaws.Launcher.prepareResources(Unknown Source)
        at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
        at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
        at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
        at com.sun.javaws.Launcher.launch(Unknown Source)
        at com.sun.javaws.Main.launchApp(Unknown Source)
        at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
        at com.sun.javaws.Main.access$000(Unknown Source)
        at com.sun.javaws.Main$1.run(Unknown Source)
        at java.lang.Thread.run(Thread.java:744)


        REPRODUCIBILITY :
        This bug can be reproduced often.

        ---------- BEGIN SOURCE ----------
        nothing to supply here - it needs a complete application with descriptors and everything.

        If you really need this, please contact me, I might be able to prepare something.
        ---------- END SOURCE ----------

        CUSTOMER SUBMITTED WORKAROUND :
        Restart the app until it works.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  michaelm Michael McMahon
                  Reporter:
                  webbuggrp Webbug Group
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: