Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8132011

OCSP revocation checking with autoproxy fails with NPE

    XMLWordPrintable

    Details

    • Subcomponent:
    • CPU:
      x86
    • OS:
      windows_7

      Description

      FULL PRODUCT VERSION :
      java version "1.8.0_51"
      Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
      Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      Windows 7 Professional SP1

      EXTRA RELEVANT SYSTEM CONFIGURATION :
      Internet access only via proxy server.
      Internet Explorer 11.
      Configured with auto proxy (proxy PAC)
      Java Control Panel network settings configured to use browser settings.
      Webstart application hosted on a local server (not internet), i.e. does not require proxy access.

      A DESCRIPTION OF THE PROBLEM :
      We have a Java webstart application which has been digitally signed with a trusted certificate (Entrust). The certificate has an OCSP revocation url http://ocsp.entrust.net, which is hosted on the internet and will require access via a proxy server.

      Downloading and starting the application performs a certificate revocation check (OCSP). This check fails with a NullPointerException, resulting in the application failing to start with an on-screen message "Failed to validate certificate."

      Previously reported as https://bugs.openjdk.java.net/browse/JDK-8074258 (closed)

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1. From a client PC that has no direct access to the internet.
      2. Configure default browser to use an auto-proxy file, not configured directly with a proxy address.
      3. Update Network Settings in Java Control Panel to use broswer settings
      4. Ensure Java Control Panel advanced settings are set for revocation checks:
        a) Check for signed code certificate revocation using "Both CRLs and OCSP"
        b) Perform signed code certificate revocation checks on "All certificates in the chain of trust"
      5. Run a JNLP application which is signed with a trusted certificate.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Application downloads, verifies and starts.
      ACTUAL -
      Application downloads and fails to verify the certificate.
      Webstart message displayed: "Failed to validate certificate. The application will not be executed.". Clicking the More Information button displays the Exception stack trace:

      java.lang.NullPointerException
      at com.sun.deploy.net.proxy.DeployProxySelector.select(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection$6.run(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection$6.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      at java.security.AccessController.doPrivileged(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.access$100(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection$8.run(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection$8.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      at java.security.AccessController.doPrivileged(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
      at sun.security.provider.certpath.OCSP.check(Unknown Source)
      at sun.security.provider.certpath.OCSP.check(Unknown Source)
      at sun.security.provider.certpath.OCSP.check(Unknown Source)
      at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
      at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
      at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
      at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
      at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
      at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
      at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
      at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
      at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
      at com.sun.javaws.Launcher.prepareResources(Unknown Source)
      at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
      at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
      at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
      at com.sun.javaws.Launcher.launch(Unknown Source)
      at com.sun.javaws.Main.launchApp(Unknown Source)
      at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
      at com.sun.javaws.Main.access$000(Unknown Source)
      at com.sun.javaws.Main$1.run(Unknown Source)
      at java.lang.Thread.run(Unknown Source)

      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      Extracts from javaws trace log:

      Log started: Mon, 20 Jul 2015 10:52:49 +0100
      Java Web Start 11.51.2.16
      Using JRE version
       1.8.0_51-b16 Java HotSpot(TM) Client VM
      basic: Java part started
      basic: jnlpx.jvm: C:\Program Files (x86)\Java\jre1.8.0_51\bin\javaw.exe
      basic: jnlpx.splashport: 56943
      basic: jnlpx.remove: true
      basic: jnlpx.heapsize: null
      network: Loading user-defined proxy configuration ...
      network: Done.
      network: Browser is IE.HTTP
      network: Browser is IE
      network: Loading proxy configuration from Internet Explorer ...
      network: Auto config URL: http://pac.exacc.com
      network: Done.
      network: Loading auto proxy configuration ...
      cache: CacheEntry IP mismatch: 10.182.94.53 != 10.183.42.14
      network: Cache entry not found [url: http://pac.exacc.com/, version: null]
      network: Downloading auto proxy file from http://pac.exacc.com
      network: Downloading resource: http://pac.exacc.com
      Content-Length: 17,894
      Content-Encoding: null
      network: Wrote URL http://pac.exacc.com to File C:\Users\rl\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\59225f35-105fe20f-temp
      cache: Adding MemoryCache entry: http://pac.exacc.com/
      network: Done.
      ui: missing resource: java.util.MissingResourceException: Can't find resource for bundle com.sun.deploy.resources.Deployment, key Proxy Configuration: Automatic Proxy Configuration
           URL: http://pac.exacc.com
      network: Proxy Configuration: Automatic Proxy Configuration
           URL: http://pac.exacc.com
      basic: Using Cp1252 to encode arguments.
      basic: Running JVMParams: [JVMParameters: isSecure: true, args: "-Djava.security.debug=certpath" "-Xmx64m"]
      -> [JVMParameters: isSecure: true, args: "-Djava.security.debug=certpath"]
      network: Created version ID: 1.6.0.45
      network: Created version ID: 1.6
      ...

      ...
      security: The OCSP support is enabled
      security: The CRL support is enabled
      certpath: connecting to OCSP service at: http://ocsp.entrust.net
      java.lang.IllegalArgumentException: port out of range:-1
      at java.net.InetSocketAddress.checkPort(Unknown Source)
      at java.net.InetSocketAddress.<init>(Unknown Source)
      at com.sun.deploy.net.proxy.DynamicProxyManager$1.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      at com.sun.deploy.net.proxy.DynamicProxyManager.getProxy(Unknown Source)
      at com.sun.deploy.net.proxy.DynamicProxyManager.getProxyList(Unknown Source)
      at com.sun.deploy.net.proxy.DeployProxySelector.select(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection$6.run(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection$6.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      at java.security.AccessController.doPrivileged(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.access$100(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection$8.run(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection$8.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      at java.security.AccessController.doPrivileged(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
      at sun.security.provider.certpath.OCSP.check(Unknown Source)
      at sun.security.provider.certpath.OCSP.check(Unknown Source)
      at sun.security.provider.certpath.OCSP.check(Unknown Source)
      at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
      at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
      at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
      at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
      at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
      at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
      at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
      at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
      at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
      at com.sun.javaws.Launcher.prepareResources(Unknown Source)
      at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
      at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
      at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
      at com.sun.javaws.Launcher.launch(Unknown Source)
      at com.sun.javaws.Main.launchApp(Unknown Source)
      at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
      at com.sun.javaws.Main.access$000(Unknown Source)
      at com.sun.javaws.Main$1.run(Unknown Source)
      at java.lang.Thread.run(Unknown Source)
      cache: Cancel delay cleanup: URL: http://rjj3:5000/GUI/images/ApplicationIcon.gif | C:\Users\lambertonr\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\7d3838e5-4f8a7e11.idx
      cache: registerReference: com.sun.deploy.cache.MemoryCache$CachedResourceReference@88add689: 2
      cache: registerReference: com.sun.deploy.cache.MemoryCache$CachedResourceReference@88add689: 3
      ...

      REPRODUCIBILITY :
      This bug can be reproduced always.

      CUSTOMER SUBMITTED WORKAROUND :
      1. Disable OCSP revocation check in the Java control panel.
      or
      2. Change the Network Settings in the Java Control Panel to manually specify the proxy server instead of using the browser settings.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              almatvee Alexander Matveev
              Reporter:
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: