0

Recently, we upgraded client machines from Java 1.6 to Java 1.7 update 25 and now is encountering problems with IE and Firefox.

Problem occurs each time it will access a applet signed by VeriSign. The exception will be shown: Failed to validate certificate. The Application will not be executed.

java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: java.io.IOException: extra data given to DerValue constructor
    at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
    at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
    at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
    at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
    at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
    at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.getTrustedCodeSources(Unknown Source)
    at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source)
    at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
    at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
    at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
    at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
    Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
        at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
        ... 34 more
Caused by: java.security.cert.CertPathValidatorException: java.io.IOException: extra data given to DerValue constructor
    at sun.security.provider.certpath.OCSP.check(Unknown Source)
    at sun.security.provider.certpath.OCSP.check(Unknown Source)
    at sun.security.provider.certpath.OCSP.check(Unknown Source)
    ... 35 more
Caused by: java.io.IOException: extra data given to DerValue constructor
    at sun.security.util.DerValue.init(Unknown Source)
    at sun.security.util.DerValue.<init>(Unknown Source)
    at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
    ... 38 more

The applet debug also shows this:

Java Plug-in 10.25.2.17
Using JRE version 1.7.0_25-b17 Java HotSpot(TM) Client VM
User home directory = C:\Users\xxxx
----------------------------------------------------
c:   clear console window
f:   finalize objects on finalization queue
g:   garbage collect
h:   display this help message
l:   dump classloader list
m:   print memory usage
o:   trigger logging
q:   hide console
r:   reload policy configuration
s:   dump system and deployment properties
t:   dump thread list
v:   dump thread stack
x:   clear classloader cache
0-5: set trace level to <n>
----------------------------------------------------
CacheEntry[https://xxx:8181/xxx/lib/plugin-loader.jar]: updateAvailable=true,lastModified=Thu Jul 04 09:32:27 SGT 2013,length=1549
CacheEntry[https://xxx:8181/xxx/lib/xxx-applet.jar]: updateAvailable=true,lastModified=Thu Jul 04 09:32:27 SGT 2013,length=879421
Missing Permissions manifest attribute for: https://xxx:8181/xxx/lib/xxx-applet.jar
Missing Codebase manifest attribute for: https://xxx:8181/xxx/lib/xxx-applet.jar
CacheEntry[http://crl.thawte.com/ThawtePremiumServerCA.crl]: updateAvailable=false,lastModified=Thu Jan 01 07:30:00 SGT 1970,length=2520
CacheEntry[http://crl.thawte.com/ThawteCodeSigningCA.crl]: updateAvailable=false,lastModified=Thu Jan 01 07:30:00 SGT 1970,length=2516

As stated by the update from Oracle, we added attribute Trusted-Library: true in the Manifest file but the same error occurs

Trusted-Library: true

We also tried changing the run-time in the server side from 1.6 to 1.7, but no avail. The server is glassfish.

tshepang
  • 12,111
  • 21
  • 91
  • 136
xtrycatchx
  • 354
  • 4
  • 10

2 Answers2

1

Most probably your/provider/corporate firewall prohibits access to the ocsp.verisign.com, crl.verisign.com,.. or similar, access to they should be visible in Java Console. The worst thing here that firewall provides custom not expected response as for OCSP protocol to Java (or to any client out of allowed URLs) that confuses Java.

SWAN
  • 11
  • 1
0

Oracle introduced security updates in its Java 7 update 21 release onwards. In which it deprecate the unsigned code and new prompts are introduced for self-signed code. You need to sign the code by CA certificates. Please check the release notes of Java 7 update 21 and update 25

gusainhimanshu
  • 157
  • 1
  • 11
  • thanks gusainhimanshu. Signing usign certificates issued by VerSign has problems. Signing using a self-signed cert actually works, but the thing is it is self-signed. – xtrycatchx Jul 15 '13 at 09:41
  • According to Oracle, CA certified code should not cause any problem. Is xxx-applet.jar is dependent on any other jar or using any other jar ? – gusainhimanshu Jul 15 '13 at 09:54
  • xxx-applet is not using any other jar. Before it was working fine (before update 25 of Java 7). From the DerValue itself, it has big changes for this update 25. – xtrycatchx Jul 15 '13 at 11:00
  • Yeah!!! Oracle is bringing in some security updates. Oracle is trying to make Applet more secure by adding restrictions. Moreover you can try the `Permissions` and `Codebase` attribute as well. They added these in their [update 25](http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/no_redeploy.html). – gusainhimanshu Jul 15 '13 at 16:12
  • thanks again gusainhimanshu. I tried adding both and still it doesn't work :( – xtrycatchx Jul 16 '13 at 01:32
  • Are you making any `index.list` for all the jars? If yes then you might be hitting [this](http://bugs.sun.com/view_bug.do?bug_id=8016771) bug. If this also doesn't work, then you can raise a bug on Oracle. – gusainhimanshu Jul 16 '13 at 03:45