Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8042622

Check for CRL results in IllegalArgumentException "white space not allowed"

    Details

    • Subcomponent:
    • Resolved In Build:
      b12
    • CPU:
      x86
    • OS:
      windows_8

      Backports

        Description

        FULL PRODUCT VERSION :
        Under Trusty Thar 64bit:
        Java(TM) SE Runtime Environment (build 1.8.0-b132)
        Java HotSpot(TM) 64-Bit Server VM (build 25.0-b70, mixed mode)

        Under Windows 8.1:

        java version "1.8.0_05"
        Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
        Java HotSpot(TM) Client VM (build 25.5-b02, mixed mode)


        ADDITIONAL OS VERSION INFORMATION :
        Following were tested: Windows 8.1, Linux 64bit (Ubuntu Trusty, Ubuntu Precise)

        EXTRA RELEVANT SYSTEM CONFIGURATION :
        The Certificate used is from startssl, it's properly imported into the system keystore (just visit https://oashi.com with IE, it will import it silently).

        A DESCRIPTION OF THE PROBLEM :
        Every once in a while the certificate check fails with the following stacktrace:

        java.lang.IllegalArgumentException: white space not allowed
        at java.net.URLPermission.normalizeHeaders(URLPermission.java:401)
        at java.net.URLPermission.init(URLPermission.java:189)
        at java.net.URLPermission.<init>(URLPermission.java:166)
        at sun.net.www.protocol.http.HttpURLConnection.URLtoSocketPermission(HttpURLConnection.java:1031)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1424)
        at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
        at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
        at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
        at com.sun.deploy.cache.DeployCacheHandler.get(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1048)
        at sun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:987)
        at sun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:985)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.AccessController.doPrivileged(AccessController.java:713)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:984)
        at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:931)
        at sun.net.www.protocol.http.HttpURLConnection.followRedirect0(HttpURLConnection.java:2648)
        at sun.net.www.protocol.http.HttpURLConnection.access$300(HttpURLConnection.java:90)
        at sun.net.www.protocol.http.HttpURLConnection$12.run(HttpURLConnection.java:2565)
        at sun.net.www.protocol.http.HttpURLConnection$12.run(HttpURLConnection.java:2563)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.AccessController.doPrivileged(AccessController.java:713)
        at sun.net.www.protocol.http.HttpURLConnection.followRedirect(HttpURLConnection.java:2562)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1768)
        at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:90)
        at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1431)
        at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1429)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.AccessController.doPrivileged(AccessController.java:713)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1428)
        at sun.security.provider.certpath.URICertStore.engineGetCRLs(URICertStore.java:396)
        at java.security.cert.CertStore.getCRLs(CertStore.java:181)
        at sun.security.provider.certpath.DistributionPointFetcher.getCRL(DistributionPointFetcher.java:246)
        at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:190)
        at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:122)
        at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:79)
        at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
        at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
        at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
        at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
        at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
        at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)

        As you can see, it fails on the way to get the CRL from http://www.startssl.com/sfsca.crl, which returns a 301 and forwards the request to http://crl.startssl.com/sfsca.crl

        After adding some debug code into the classes involved, it seems to stumble upon parsing the request headers after the forward, so the URLPermission class gets the String "GET:accept-encoding,User-Agent,UA-Java-Version,GET /sfsca.crl HTTP/1.1,Accept" as actions within the constuctor, on which it fails.

        What I can't tell at the moment is why it sometimes succeeds. As I don't have the source code for the com.sun.deploy classes, I can't tell where it comes from.

        As neither Java6 nor Java7 expose this behaviour and the URLs passed around by the Startssl servers, I would declare this a bug.

        If further help is needed, I will assist.

        REGRESSION. Last worked in version 7u51

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Under Windows, first visit https://oashi.com to silently import the startssl certs.

        Then, visit this URL:

        https://m.oashi.com/deploy/Solstice.jnlp

        When the logon prompt appears, just cancel it. Retry until it fails (mostly within the first to third try).

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        Logon prompt
        ACTUAL -
        Failure to verify the certificate

        ERROR MESSAGES/STACK TRACES THAT OCCUR :
        java.lang.IllegalArgumentException: white space not allowed
        at java.net.URLPermission.normalizeHeaders(URLPermission.java:401)
        at java.net.URLPermission.init(URLPermission.java:189)
        at java.net.URLPermission.<init>(URLPermission.java:166)
        at sun.net.www.protocol.http.HttpURLConnection.URLtoSocketPermission(HttpURLConnection.java:1031)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1424)
        at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
        at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
        at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
        at com.sun.deploy.cache.DeployCacheHandler.get(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1048)
        at sun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:987)
        at sun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:985)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.AccessController.doPrivileged(AccessController.java:713)
        at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:984)
        at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:931)
        at sun.net.www.protocol.http.HttpURLConnection.followRedirect0(HttpURLConnection.java:2648)
        at sun.net.www.protocol.http.HttpURLConnection.access$300(HttpURLConnection.java:90)
        at sun.net.www.protocol.http.HttpURLConnection$12.run(HttpURLConnection.java:2565)
        at sun.net.www.protocol.http.HttpURLConnection$12.run(HttpURLConnection.java:2563)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.AccessController.doPrivileged(AccessController.java:713)
        at sun.net.www.protocol.http.HttpURLConnection.followRedirect(HttpURLConnection.java:2562)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1768)
        at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:90)
        at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1431)
        at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1429)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.security.AccessController.doPrivileged(AccessController.java:713)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1428)
        at sun.security.provider.certpath.URICertStore.engineGetCRLs(URICertStore.java:396)
        at java.security.cert.CertStore.getCRLs(CertStore.java:181)
        at sun.security.provider.certpath.DistributionPointFetcher.getCRL(DistributionPointFetcher.java:246)
        at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:190)
        at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:122)
        at sun.security.provider.certpath.DistributionPointFetcher.getCRLs(DistributionPointFetcher.java:79)
        at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
        at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
        at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
        at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
        at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
        at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
        at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
        at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
        at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
        at com.sun.javaws.Launcher.prepareResources(Unknown Source)
        at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
        at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
        at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
        at com.sun.javaws.Launcher.launch(Unknown Source)
        at com.sun.javaws.Main.launchApp(Unknown Source)
        at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
        at com.sun.javaws.Main.access$000(Unknown Source)
        at com.sun.javaws.Main$1.run(Unknown Source)
        at java.lang.Thread.run(Thread.java:744)


        REPRODUCIBILITY :
        This bug can be reproduced often.

        ---------- BEGIN SOURCE ----------
        nothing to supply here - it needs a complete application with descriptors and everything.

        If you really need this, please contact me, I might be able to prepare something.
        ---------- END SOURCE ----------

        CUSTOMER SUBMITTED WORKAROUND :
        Restart the app until it works.

          Issue Links

            Activity

            webbuggrp Webbug Group created issue -
            scfitch Stephen Fitch made changes -
            Field Original Value New Value
            Affects Version/s 8u5 [ 16305 ]
            scfitch Stephen Fitch made changes -
            Project Java Incidents [ 10301 ] JDK [ 10100 ]
            Key JI-9011879 JDK-8042622
            Workflow JBS Incident Workflow [ 4726123 ] JBS Workflow [ 4727929 ]
            Affects Version/s 8 [ 11815 ]
            Affects Version/s 8u5 [ 15804 ]
            Affects Version/s 8 [ 15409 ]
            Affects Version/s 8u5 [ 16305 ]
            Component/s deploy [ 10302 ]
            Component/s deploy [ 10703 ]
            scfitch Stephen Fitch made changes -
            Subcomponent webstart [ 526 ] webstart [ 251 ]
            mwthomps Marty Thompson made changes -
            Assignee Andy Herrick [ herrick ]
            herrick Andy Herrick made changes -
            Status New [ 10000 ] Open [ 1 ]
            herrick Andy Herrick made changes -
            Fix Version/s 8u40 [ 16510 ]
            mwthomps Marty Thompson made changes -
            Labels regression webbug CPU14_03-defer-request regression webbug
            plevins Pete Levins (Inactive) made changes -
            Labels CPU14_03-defer-request regression webbug CPU14_03-defer-approved regression webbug
            mwthomps Marty Thompson made changes -
            Labels CPU14_03-defer-approved regression webbug CPU14_03-defer-approved deploy_iteration_queue regression webbug
            mwthomps Marty Thompson made changes -
            Labels CPU14_03-defer-approved deploy_iteration_queue regression webbug CPU14_03-defer-approved deploy_iteration_9 regression webbug
            michaelm Michael McMahon made changes -
            Component/s core-libs [ 10300 ]
            Component/s deploy [ 10302 ]
            michaelm Michael McMahon made changes -
            Subcomponent webstart [ 251 ]
            michaelm Michael McMahon made changes -
            Subcomponent java.net [ 193 ]
            michaelm Michael McMahon made changes -
            Assignee Andy Herrick [ herrick ] Michael McMahon [ michaelm ]
            herrick Andy Herrick made changes -
            Labels CPU14_03-defer-approved deploy_iteration_9 regression webbug CPU14_03-defer-approved regression webbug
            michaelm Michael McMahon made changes -
            Labels CPU14_03-defer-approved regression webbug regression webbug
            michaelm Michael McMahon made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            Understanding Fix Understood [ 10001 ]
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8061311 [ JDK-8061311 ]
            hgupdate HG Updates made changes -
            Status In Progress [ 3 ] Resolved [ 5 ]
            Understanding Fix Understood [ 10001 ]
            Resolved In Build team [ 17324 ]
            Resolution Fixed [ 1 ]
            hgupdate HG Updates made changes -
            Resolved In Build team [ 17324 ] master [ 18256 ]
            hgupdate HG Updates made changes -
            Resolved In Build master [ 18256 ] b12 [ 17349 ]
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8063923 [ JDK-8063923 ]
            dcherepanov Dmitry Cherepanov made changes -
            Link This issue relates to JDK-8064462 [ JDK-8064462 ]
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8070006 [ JDK-8070006 ]
            akosarev Artem Kosarev (Inactive) made changes -
            Labels regression webbug escape-old regression webbug
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8085116 [ JDK-8085116 ]
            dtitov Daniil Titov made changes -
            Link This issue relates to JDK-8129991 [ JDK-8129991 ]
            ostuart Owen Stuart made changes -
            Labels escape-old regression webbug 8bpr-critical-request escape-old regression webbug
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8130908 [ JDK-8130908 ]
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8130925 [ JDK-8130925 ]
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8133477 [ JDK-8133477 ]
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8136943 [ JDK-8136943 ]
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8136960 [ JDK-8136960 ]
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8140710 [ JDK-8140710 ]
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8143763 [ JDK-8143763 ]
            ostuart Owen Stuart made changes -
            Labels 8bpr-critical-request escape-old regression webbug 8bpr-critical-approved escape-old regression webbug
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8147683 [ JDK-8147683 ]

              People

              • Assignee:
                michaelm Michael McMahon
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: