Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8043582

App gets blocked instead of showing multiple click dialog when no ocsp and crl info in certificate

    Details

    • Subcomponent:
    • Resolved In Build:
      b19

      Backports

        Description

        A multiple click dialog saying "Unable to ensure the certificate used to identify this application has not been revoked" should show up when no ocsp and crl infor in cert or cert only contains crl info but the only crl info is not valid. And after accept it, app should get loaded.
        But with 8u20, a blocked dialog with message "StatusUnknownException: Certificate does not specify OCSP responder" will show up.

        Steps to reproduce:
        1 Install jre8u20#b00_2014-05-14-0234_339(http://rehudson.us.oracle.com/nightlyws/jdk8u20-deploy/b00_2014-05-14-0234_339/bundles/)
        2 Enable OCSP and CRL check from JCP
        3 Import root ca cacert.pem to JRE_HOME/lib/security/cacerts to have a valid trusted cert:
        keytool -import -file cacert.pem -keystore JAVA_HOME/lib/security/cacerts -storepass changeit -alias cakey
        cacert.pem: http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/JawsOcspAndCrlCheck/lib/cacert.pem
        4 Run app signed with a cert which doesn't contain ocsp and crl info in it:
        javaws http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/JawsOcspAndCrlCheck/jnlp/testOCSPAndCRLEnabledAIAOnlyCACertJNLP.jnlp
        5. If a blocked dialog with title "Application Blocked for Security" show up(See attachment 8u20.png), then this bug is reproduced. In more information, it shows:
        com.sun.deploy.security.RevocationChecker$StatusUnknownException: Certificate does not specify OCSP responder
        at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
        at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
        at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
        at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
        at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
        at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
        at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
        at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
        at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
        at com.sun.javaws.Launcher.prepareResources(Unknown Source)
        at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
        at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
        at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
        at com.sun.javaws.Launcher.launch(Unknown Source)
        at com.sun.javaws.Main.launchApp(Unknown Source)
        at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
        at com.sun.javaws.Main.access$000(Unknown Source)
        at com.sun.javaws.Main$1.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)
        Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
        at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
        ... 18 more

        Note: No such issue for 8u5-b13 and 8u11-b05: a multiple click dialog will show up. See attachment 8u5.png

          Attachments

          1. 8u20.png
            8u20.png
            83 kB
          2. 8u5.png
            8u5.png
            44 kB

            Issue Links

              Activity

                People

                • Assignee:
                  herrick Andy Herrick
                  Reporter:
                  wenjyang Crystal Yang
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  6 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: