12 Replies Latest reply: Dec 17, 2012 1:23 PM by Rogerl-Oracle RSS

    Wrong key usage exception since 7u6

    959559
      Hi!

      I have completely signed (DigiCert) applet, which using mixed code (JOGL). It works well before release 7u6. After it, i have these exceptions:

      sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
      at sun.security.validator.PKIXValidator.doValidate(Unknown Source)
      at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
      at sun.security.validator.Validator.validate(Unknown Source)
      at sun.security.validator.Validator.validate(Unknown Source)
      at sun.security.validator.Validator.validate(Unknown Source)
      at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
      at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
      at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
      at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
      at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
      at sun.plugin2.applet.JNLP2Manager.prepareLaunchFile(Unknown Source)
      at sun.plugin2.applet.JNLP2Manager.loadJarFiles(Unknown Source)
      at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
      at java.lang.Thread.run(Unknown Source)
      Caused by: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
      at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(Unknown Source)
      at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(Unknown Source)
      at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(Unknown Source)
      at java.security.cert.CertPathValidator.validate(Unknown Source)
      ... 14 more
      Caused by: java.security.InvalidKeyException: Wrong key usage
      at java.security.Signature.initVerify(Unknown Source)
      at sun.security.provider.certpath.OCSPResponse.verifyResponse(Unknown Source)
      at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
      at sun.security.provider.certpath.OCSP.check(Unknown Source)
      at sun.security.provider.certpath.OCSPChecker.check(Unknown Source)
      ... 18 more

      In newest 6u35 and 7u5 it works OK.

      Any suggestions?
        • 1. Re: Wrong key usage exception since 7u6
          user12820851
          Can you post the extensions present in the certificate that is being validated?

          Or better still, generate a debug trace of the certificate validation: rerun your application with the -Djava.security.debug=certpath system property.

          Thanks.
          • 2. Re: Wrong key usage exception since 7u6
            962183
            We receive the same error message as described above by user 956556, when certificate validation (CRL, OCSP or both) is activated.
            The certificate is issued by "VeriSign Class 3 Code Signing 2010 CA"
            The extensions are:
            SEQUENCE :
            SEQUENCE :
            OBJECT IDENTIFIER : basicConstraints [2.5.29.19]
            OCTET STRING :
            SEQUENCE : ''
            SEQUENCE :
            OBJECT IDENTIFIER : keyUsage [2.5.29.15]
            BOOLEAN : 'ÿ'
            OCTET STRING :
            BIT STRING UnusedBits:7 : '80'
            SEQUENCE :
            OBJECT IDENTIFIER : cRLDistributionPoints [2.5.29.31]
            OCTET STRING : ''
            SEQUENCE : ''
            SEQUENCE : ''
            CONTEXT SPECIFIC (0) : ''
            CONTEXT SPECIFIC (0) : ''
            CONTEXT SPECIFIC (6) : 'http://csc3-2010-crl.verisign.com/CSC3-2010.crl'
            SEQUENCE :
            OBJECT IDENTIFIER : certificatePolicies [2.5.29.32]
            OCTET STRING :
            SEQUENCE :
            SEQUENCE :
            OBJECT IDENTIFIER :  [2.16.840.1.113733.1.7.23.3]
            SEQUENCE :
            SEQUENCE :
            OBJECT IDENTIFIER : cps [1.3.6.1.5.5.7.2.1]
            IA5 STRING : 'https://www.verisign.com/rpa'
            SEQUENCE :
            OBJECT IDENTIFIER : extKeyUsage [2.5.29.37]
            OCTET STRING :
            SEQUENCE :
            OBJECT IDENTIFIER : codeSigning [1.3.6.1.5.5.7.3.3]
            SEQUENCE :
            OBJECT IDENTIFIER : authorityInfoAccess [1.3.6.1.5.5.7.1.1]
            OCTET STRING :
            SEQUENCE :
            SEQUENCE :
            OBJECT IDENTIFIER : ocsp [1.3.6.1.5.5.7.48.1]
            CONTEXT SPECIFIC (6) : 'http://ocsp.verisign.com'
            SEQUENCE :
            OBJECT IDENTIFIER : caIssuers [1.3.6.1.5.5.7.48.2]
            CONTEXT SPECIFIC (6) : 'http://csc3-2010-aia.verisign.com/CSC3-2010.cer'
            SEQUENCE :
            OBJECT IDENTIFIER : authorityKeyIdentifier [2.5.29.35]
            OCTET STRING :
            SEQUENCE :
            CONTEXT SPECIFIC (0) : 'CF99A9EA7B26F44BC98E8FD7F00526EFE3D2A79D'
            SEQUENCE :
            OBJECT IDENTIFIER : netscape-cert-type [2.16.840.1.113730.1.1]
            OCTET STRING :
            BIT STRING UnusedBits:4 : '10'
            SEQUENCE :
            OBJECT IDENTIFIER : spcFinancialCriteriaInfo [1.3.6.1.4.1.311.2.1.27]
            OCTET STRING :
            SEQUENCE :
            BOOLEAN : '00'
            BOOLEAN : 'ÿ'
            • 3. Re: Wrong key usage exception since 7u6
              962980
              We also have a signed (DigiCert) applet which stopped working in 7u6 and 7u7 ("Wrong key usage").

              As a workaround, users can disable "Enable online certificate validation" in the Java Control Panel -> Advanced -> Security -> General section. Note that this workaround seems to conflict with a workaround mentioned for getting JNLP applets to work (http://www.java.net/forum/topic/jdk/java-se-snapshots-project-feedback/os-x-jdk-7u6-will-not-run-signed-jnlp-apps).

              I'm not sure how to get cert debugging from a browser, but wireshark captured the OCSP reply. It contains a signedCertificate with 4 extensions that consist of the following bytes:
              0000 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 0c 06 0...U........0..
              0010 03 55 1d 13 01 01 ff 04 02 30 00 30 13 06 03 55 .U.......0.0...U
              0020 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 09 .%..0...+.......
              0030 30 0f 06 09 2b 06 01 05 05 07 30 01 05 04 02 05 0...+.....0.....
              0040 00 .

              (id-ce-keyUsage, id-ce-basicConstraints, id-ce-extKeyUsage, id-pkix-ocsp-nocheck)

              Please advise whether this is an issue with the OCSP reply from DigiCert or with the response parser in the JDK, and whether anything can be done. As more folks upgrade beyond 7u5 this could become a major issue fast.
              • 4. Re: Wrong key usage exception since 7u6
                smullan
                959977 wrote:
                We also have a signed (DigiCert) applet which stopped working in 7u6 and 7u7 ("Wrong key usage").

                As a workaround, users can disable "Enable online certificate validation" in the Java Control Panel -> Advanced -> Security -> General section. Note that this workaround seems to conflict with a workaround mentioned for getting JNLP applets to work (http://www.java.net/forum/topic/jdk/java-se-snapshots-project-feedback/os-x-jdk-7u6-will-not-run-signed-jnlp-apps).
                Out of curiosity, did you at some point in the past check (enable) the "Enable online certificate validation" box in the Java Control Panel? I ask because normally this option is disabled (unchecked) by default, so you would not be affected by this issue. Thanks for this information.
                • 5. Re: Wrong key usage exception since 7u6
                  962980
                  If I had to take a guess I would say the option is probably disabled by default since the general outcry seems limited for now. Although it's also somewhat early to say, since people tend to not upgrade that fast.

                  More importantly though we are dealing with a large amount of users that each have their own settings which they (or some program) might or might not touch. It's a nightmare waiting to happen. Plus, if you take a look at the link I posted, having the option disabled apparently breaks signed web start applications. So if you use both you'd have to toggle and restart the browser every time..
                  • 6. Re: Wrong key usage exception since 7u6
                    962980
                    For future treasure thread hunters, it's this bug:
                    http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7198537

                    ..which has been marked as a duplicate of:
                    http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7197652

                    ..which is being addressed at the time of writing:
                    State      7-Fix in Progress, bug
                    Priority:      2-High
                    • 7. Re: Wrong key usage exception since 7u6
                      962980
                      ..and a followup: DigiCert now has a workaround available: they can issue a new code signing certificate with intermediates that have the "DigitalSignature" flag set in the "KeyUsage" section (apparently Java expects all certificates in the chain to have this DigitalSignature flag when OCSP is enabled)

                      This should be doable by any other provider as well. You can check the flags in your chain with e.g. keytool -list -v -alias ... -keystore ...
                      • 8. Re: Wrong key usage exception since 7u6
                        gimbal2
                        Even though it doesn't affect me currently - thanks for making the effort to post the updates!
                        • 9. Re: Wrong key usage exception since 7u6
                          968771
                          956556 wrote:
                          Hi!

                          I have completely signed (DigiCert) applet, which using mixed code (JOGL). It works well before release 7u6. After it, i have these exceptions:
                          ...

                          In newest 6u35 and 7u5 it works OK.

                          Any suggestions?
                          I got the same error with JRE 7u7 and get it still today with 7u9 !

                          "sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage"

                          I disabled the online validation of certificates - and it worked! Thanks!
                          • 10. Re: Wrong key usage exception since 7u6
                            789532
                            So does Oracle have an answer to this problem. It's pretty bad when Oracle pushes out a new JRE and it breaks existing applications. I guess I'll just have to go back the Java 1.6.whatever
                            • 11. Re: Wrong key usage exception since 7u6
                              978692
                              I also have a similar problem. Some of the webstart application only work if Online Verification is enabled, others only work if it's disabled!
                              • 12. Re: Wrong key usage exception since 7u6
                                Rogerl-Oracle
                                This has been fixed in 7u10+
                                http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=8000280

                                -Roger