This discussion is archived
12 Replies Latest reply: Dec 17, 2012 11:23 AM by RogerL (Oracle) RSS

Wrong key usage exception since 7u6

959559 Newbie
Currently Being Moderated
Hi!

I have completely signed (DigiCert) applet, which using mixed code (JOGL). It works well before release 7u6. After it, i have these exceptions:

sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at sun.plugin2.applet.JNLP2Manager.prepareLaunchFile(Unknown Source)
at sun.plugin2.applet.JNLP2Manager.loadJarFiles(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown Source)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(Unknown Source)
... 14 more
Caused by: java.security.InvalidKeyException: Wrong key usage
at java.security.Signature.initVerify(Unknown Source)
at sun.security.provider.certpath.OCSPResponse.verifyResponse(Unknown Source)
at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSPChecker.check(Unknown Source)
... 18 more

In newest 6u35 and 7u5 it works OK.

Any suggestions?
  • 1. Re: Wrong key usage exception since 7u6
    user12820851 Newbie
    Currently Being Moderated
    Can you post the extensions present in the certificate that is being validated?

    Or better still, generate a debug trace of the certificate validation: rerun your application with the -Djava.security.debug=certpath system property.

    Thanks.
  • 2. Re: Wrong key usage exception since 7u6
    962183 Newbie
    Currently Being Moderated
    We receive the same error message as described above by user 956556, when certificate validation (CRL, OCSP or both) is activated.
    The certificate is issued by "VeriSign Class 3 Code Signing 2010 CA"
    The extensions are:
    SEQUENCE :
    SEQUENCE :
    OBJECT IDENTIFIER : basicConstraints [2.5.29.19]
    OCTET STRING :
    SEQUENCE : ''
    SEQUENCE :
    OBJECT IDENTIFIER : keyUsage [2.5.29.15]
    BOOLEAN : 'ÿ'
    OCTET STRING :
    BIT STRING UnusedBits:7 : '80'
    SEQUENCE :
    OBJECT IDENTIFIER : cRLDistributionPoints [2.5.29.31]
    OCTET STRING : ''
    SEQUENCE : ''
    SEQUENCE : ''
    CONTEXT SPECIFIC (0) : ''
    CONTEXT SPECIFIC (0) : ''
    CONTEXT SPECIFIC (6) : 'http://csc3-2010-crl.verisign.com/CSC3-2010.crl'
    SEQUENCE :
    OBJECT IDENTIFIER : certificatePolicies [2.5.29.32]
    OCTET STRING :
    SEQUENCE :
    SEQUENCE :
    OBJECT IDENTIFIER :  [2.16.840.1.113733.1.7.23.3]
    SEQUENCE :
    SEQUENCE :
    OBJECT IDENTIFIER : cps [1.3.6.1.5.5.7.2.1]
    IA5 STRING : 'https://www.verisign.com/rpa'
    SEQUENCE :
    OBJECT IDENTIFIER : extKeyUsage [2.5.29.37]
    OCTET STRING :
    SEQUENCE :
    OBJECT IDENTIFIER : codeSigning [1.3.6.1.5.5.7.3.3]
    SEQUENCE :
    OBJECT IDENTIFIER : authorityInfoAccess [1.3.6.1.5.5.7.1.1]
    OCTET STRING :
    SEQUENCE :
    SEQUENCE :
    OBJECT IDENTIFIER : ocsp [1.3.6.1.5.5.7.48.1]
    CONTEXT SPECIFIC (6) : 'http://ocsp.verisign.com'
    SEQUENCE :
    OBJECT IDENTIFIER : caIssuers [1.3.6.1.5.5.7.48.2]
    CONTEXT SPECIFIC (6) : 'http://csc3-2010-aia.verisign.com/CSC3-2010.cer'
    SEQUENCE :
    OBJECT IDENTIFIER : authorityKeyIdentifier [2.5.29.35]
    OCTET STRING :
    SEQUENCE :
    CONTEXT SPECIFIC (0) : 'CF99A9EA7B26F44BC98E8FD7F00526EFE3D2A79D'
    SEQUENCE :
    OBJECT IDENTIFIER : netscape-cert-type [2.16.840.1.113730.1.1]
    OCTET STRING :
    BIT STRING UnusedBits:4 : '10'
    SEQUENCE :
    OBJECT IDENTIFIER : spcFinancialCriteriaInfo [1.3.6.1.4.1.311.2.1.27]
    OCTET STRING :
    SEQUENCE :
    BOOLEAN : '00'
    BOOLEAN : 'ÿ'
  • 3. Re: Wrong key usage exception since 7u6
    962980 Newbie
    Currently Being Moderated
    We also have a signed (DigiCert) applet which stopped working in 7u6 and 7u7 ("Wrong key usage").

    As a workaround, users can disable "Enable online certificate validation" in the Java Control Panel -> Advanced -> Security -> General section. Note that this workaround seems to conflict with a workaround mentioned for getting JNLP applets to work (http://www.java.net/forum/topic/jdk/java-se-snapshots-project-feedback/os-x-jdk-7u6-will-not-run-signed-jnlp-apps).

    I'm not sure how to get cert debugging from a browser, but wireshark captured the OCSP reply. It contains a signedCertificate with 4 extensions that consist of the following bytes:
    0000 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 0c 06 0...U........0..
    0010 03 55 1d 13 01 01 ff 04 02 30 00 30 13 06 03 55 .U.......0.0...U
    0020 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 09 .%..0...+.......
    0030 30 0f 06 09 2b 06 01 05 05 07 30 01 05 04 02 05 0...+.....0.....
    0040 00 .

    (id-ce-keyUsage, id-ce-basicConstraints, id-ce-extKeyUsage, id-pkix-ocsp-nocheck)

    Please advise whether this is an issue with the OCSP reply from DigiCert or with the response parser in the JDK, and whether anything can be done. As more folks upgrade beyond 7u5 this could become a major issue fast.
  • 4. Re: Wrong key usage exception since 7u6
    smullan Newbie
    Currently Being Moderated
    959977 wrote:
    We also have a signed (DigiCert) applet which stopped working in 7u6 and 7u7 ("Wrong key usage").

    As a workaround, users can disable "Enable online certificate validation" in the Java Control Panel -> Advanced -> Security -> General section. Note that this workaround seems to conflict with a workaround mentioned for getting JNLP applets to work (http://www.java.net/forum/topic/jdk/java-se-snapshots-project-feedback/os-x-jdk-7u6-will-not-run-signed-jnlp-apps).
    Out of curiosity, did you at some point in the past check (enable) the "Enable online certificate validation" box in the Java Control Panel? I ask because normally this option is disabled (unchecked) by default, so you would not be affected by this issue. Thanks for this information.
  • 5. Re: Wrong key usage exception since 7u6
    962980 Newbie
    Currently Being Moderated
    If I had to take a guess I would say the option is probably disabled by default since the general outcry seems limited for now. Although it's also somewhat early to say, since people tend to not upgrade that fast.

    More importantly though we are dealing with a large amount of users that each have their own settings which they (or some program) might or might not touch. It's a nightmare waiting to happen. Plus, if you take a look at the link I posted, having the option disabled apparently breaks signed web start applications. So if you use both you'd have to toggle and restart the browser every time..
  • 6. Re: Wrong key usage exception since 7u6
    962980 Newbie
    Currently Being Moderated
    For future treasure thread hunters, it's this bug:
    http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7198537

    ..which has been marked as a duplicate of:
    http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7197652

    ..which is being addressed at the time of writing:
    State      7-Fix in Progress, bug
    Priority:      2-High
  • 7. Re: Wrong key usage exception since 7u6
    962980 Newbie
    Currently Being Moderated
    ..and a followup: DigiCert now has a workaround available: they can issue a new code signing certificate with intermediates that have the "DigitalSignature" flag set in the "KeyUsage" section (apparently Java expects all certificates in the chain to have this DigitalSignature flag when OCSP is enabled)

    This should be doable by any other provider as well. You can check the flags in your chain with e.g. keytool -list -v -alias ... -keystore ...
  • 8. Re: Wrong key usage exception since 7u6
    gimbal2 Guru
    Currently Being Moderated
    Even though it doesn't affect me currently - thanks for making the effort to post the updates!
  • 9. Re: Wrong key usage exception since 7u6
    968771 Newbie
    Currently Being Moderated
    956556 wrote:
    Hi!

    I have completely signed (DigiCert) applet, which using mixed code (JOGL). It works well before release 7u6. After it, i have these exceptions:
    ...

    In newest 6u35 and 7u5 it works OK.

    Any suggestions?
    I got the same error with JRE 7u7 and get it still today with 7u9 !

    "sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage"

    I disabled the online validation of certificates - and it worked! Thanks!
  • 10. Re: Wrong key usage exception since 7u6
    789532 Newbie
    Currently Being Moderated
    So does Oracle have an answer to this problem. It's pretty bad when Oracle pushes out a new JRE and it breaks existing applications. I guess I'll just have to go back the Java 1.6.whatever
  • 11. Re: Wrong key usage exception since 7u6
    978692 Newbie
    Currently Being Moderated
    I also have a similar problem. Some of the webstart application only work if Online Verification is enabled, others only work if it's disabled!
  • 12. Re: Wrong key usage exception since 7u6
    RogerL (Oracle) Java Champion
    Currently Being Moderated
    This has been fixed in 7u10+
    http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8000280

    -Roger

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points