LWJGL Forum

Archive => Resolved Bugs/RFE => Topic started by: Fancy on August 21, 2012, 13:42:42

Title: [CLOSED] Certificate seems to be broken
Post by: Fancy on August 21, 2012, 13:42:42
Hi,

since Java 1.7.0u6 I can not run LWJGL Webstart Applications. For me it looks like the Certificate is since u6 no longer valid ("Wrong key usage"). Before u6 all works fine. (Windows 7 64Bit, Sun/Oracle JRE/JDK 64 Bit).

If I try an older JRE all works again.

(https://raw.github.com/mschorn/net.mschorn/gh-pages/images/snippets/lwjgl/invalidate.png)

Code: [Select]
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at com.sun.deploy.security.TrustDecider.doCheckRevocationStatus(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at sun.security.provider.certpath.OCSPResponse.verifyResponse(Unknown Source)
at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at com.sun.deploy.security.TrustDecider.doOCSPEEValidation(Unknown Source)
... 16 more
Caused by: java.security.InvalidKeyException: Wrong key usage
at java.security.Signature.initVerify(Unknown Source)
... 22 more

Best wishes,
Fancy
Title: Re: [BUG] Certificate seems to be broken
Post by: kappa on September 14, 2012, 13:43:06
Oracles has made an odd change to recent Java releases (using Java 7 build 1.7.0_07-b11 here) which disables Online Certificate Validation (OCSP) by default. Not sure whether it was intentional or a bug but all certificates (proper or not) now shows the scary permissions dialog.

You can re-enable OCSP manually by going to the Java Control Panel -> Advanced Tab -> Under the Security heading tick "Enable online certificate validation" and it should work as before.

So not really a LWJGL bug or something we can fix from our side.
Title: Re: [CLOSED] Certificate seems to be broken
Post by: PlanckWalk on December 26, 2012, 08:10:11
The dialog isn't the standard "scary permissions" one.  It is an outright refusal to load.  Notice that there's no "Yes, I trust this publisher" option.  It says "The application will not be executed", and it means it.

Other signed applets and webstart apps do give the scary permission dialog, but provide the option to trust it. In this case, the Java runtime simply refuses to run it at all.

It may well be the case that this is not something you can fix from your side, but as it stands even a self-signed certificate is better than what you have. At least with a self-signed cert you get the option to trust the code anyway.
Title: Re: [CLOSED] Certificate seems to be broken
Post by: Matzon on December 26, 2012, 17:56:08
The certificate is fine and works without problems in Java 7. Please check your java installation.
Title: Re: [CLOSED] Certificate seems to be broken
Post by: PlanckWalk on December 28, 2012, 11:37:17
I've done some substantial further testing.

It worked on examples of the following systems:

Ubuntu 12.04 64-bit with Oracle 7u6,
Ubuntu 12.04 64-bit with Oracle 7u10 (same machine as previous),
Ubuntu 12.04 32-bit with Oracle 6u14,
Ubuntu 12.04 32-bit with Oracle 7u10 (same as previous),
Ubuntu 12.04 32-bit with OpenJDK 6 (same as previous),
Windows XP (!) with Oracle Java 6 (unknown update)
Windows 7 with Oracle Java 7u9,
Windows 7 with Oracle Java 7u10.

It did not work on some examples of:

Ubuntu 9.04 32-bit with Oracle 7u10,
Ubuntu 12.04 64-bit with Oracle 7u10,
Ubuntu 12.04 64-bit with OpenJDK 7 (same machine as previous line),
Windows Vista with Oracle Java 7u8,
Windows Vista with Oracle Java 7u10,
Windows 7 with Oracle Java 7u10.

In particular, the last entry on each list was the exact same system at different times. It failed to work, and later worked without changing settings. The Vista entries were also the same machine, but after uninstalling 7u8 and freshly installing 7u10.

Edit: So yes, it could be a problem with all those Java installations. If so, it seems likely to be a widespread type of problem with Java installations in general, and not a specific problem with a single person's Java installation.