Bug ID: 5056088 REGRESSION: Java Web Start can't start dowloaded application

5056088 : REGRESSION: Java Web Start can't start dowloaded application

Details

Type:	Bug	Submit Date:	2004-06-02
Status:	Closed	Updated Date:	2004-06-03
Project Name:	JDK	Resolved Date:	2004-06-03
Component:	deploy	OS:	windows_xp
Sub-Component:	webstart	CPU:	x86
Priority:	P3
Resolution:	Not an Issue
Affected Versions:	5.0
Fixed Versions:

Related Reports

Relates:

JDK-6355119 - Non-codeSigning certificates shouldn't be used for signing jars

Sub Tasks

Description

Name: gm110360			Date: 06/01/2004


FULL PRODUCT VERSION :
JDK1.5.0-beta2-b51

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]

A DESCRIPTION OF THE PROBLEM :
Java Web Start in JDK1.5.0-beta2 is unable to start an application that works perfectly well in Java 1.4.2.

The application in question uses the all-permisions JNLP tag and as such is signed. It seems that something about the signitues on the Jars is causing WebStart to break.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) open a link for a signed JWS application that requiers all-permissions
2) wait for application to download
3) Web Start will say "starting application..."

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Application starts
ACTUAL -
watched it popup warning dialog saying "Failed to validate certificate. This application will not be run."

ERROR MESSAGES/STACK TRACES THAT OCCUR :
 "Failed to validate certificate. This application will not be run."

Exception was:
java.security.cert.CertificateException: Check leaf key usage failed in certificate
        at com.sun.deploy.security.CertUtils.checkUsageForCodeSigning (Unknown source)
        ...

there's no way to copy the exception from the exception dialog so i've had to type exception fragment in.

REPRODUCIBILITY :
This bug can be reproduced always.

Release Regression From : 1.4.2
The above release value was the last known release where this 
bug was known to work. Since then there has been a regression.

(Incident Review ID: 275416) 
======================================================================

Comments

EVALUATION

the exception is caused by the check in CertUtils.java, method checkLeafKeyUsageForCodeSigning, we do a check on 

  
		   if (extKeyUsageInfo.contains(OID_EKU_ANY_USAGE) == false && 
		       extKeyUsageInfo.contains(OID_EKU_CODE_SIGNING) == false)
		       {
			   Trace.msgSecurityPrintln("trustdecider.check.leafkeyusage.extkeyusageinfo");
			   return false;
		       }

It returned false here because the extKeyUsageInfo does not contains OID_EKU_ANY_USAGE and OID_EKU_CODE_SIGNING.  It only contains OID_EKU_SERVER_AUTH and OID_EKU_CLIENT_AUTH.  Therefore the exception is thrown.

We do not have such check in 1.4.2 java web start.


###@###.### 2004-06-02

the problem is the application jar is signed with a server certificate.  it should be signed with a coding signing certificate instead.


###@###.### 2004-06-02

2004-06-02

SELECT A COUNTRY/REGION
Africa Operation Argentina Australia Austria Bahrain Bangladesh Belgium & Luxembourg Belize Bhutan Bolivia Bosnia & Herzegovina Brasil Brunei Bulgaria Cambodia Canada - English Canada - French Chile China Colombia	Costa Rica Croatia Cyprus Czech Republic Denmark Ecuador Egypt Estonia Finland France Germany Greece Guatemala Honduras Hong Kong Hungary India Indonesia Iraq Ireland	Israel Italy Japan Jordan Kazakhstan Korea Kuwait Laos Latvia Lebanon Lithuania Malaysia Maldives Malta Mexico Moldova Nepal Netherlands New Zealand Nicaragua	Norway Oman Pakistan Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Romania Russia Saudi Arabia Serbia & Montenegro Singapore Slovakia Slovenia South Africa Spain	Sri Lanka Sweden Switzerland -- French Switzerland -- German Taiwan Thailand Turkey Ukraine United Arab Emirates United Kingdom United States Uruguay Venezuela Vietnam Yemen

Hardware and Software, Engineered to Work Together