Skip to main content

OS X JDK 7u6 will not run signed jnlp apps

4 replies [Last post]
bernie
Offline
Joined: 2004-06-28

When attempting to run any signed web start application
(e.g., http://sscweb.gsfc.nasa.gov/skteditor/ [Thawte issued code signing certificate])
on JDK 7u6 on Mac OS X 10.7, I get

window 1: Starting application...
window 2: Warning - Security
Failed to validate certificate.
The application will not be executed.
Details window:
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at com.sun.deploy.security.TrustDecider.doCheckRevocationStatus(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Thread.java:722)
Caused by: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at sun.security.provider.certpath.OCSPResponse.verifyResponse(OCSPResponse.java:541)
at sun.security.provider.certpath.OCSPResponse.(OCSPResponse.java:494)
at sun.security.provider.certpath.OCSP.check(OCSP.java:261)
at sun.security.provider.certpath.OCSP.check(OCSP.java:165)
at sun.security.provider.certpath.OCSP.check(OCSP.java:130)
at com.sun.deploy.security.TrustDecider.doOCSPEEValidation(Unknown Source)
... 16 more
Caused by: java.security.InvalidKeyException: Wrong key usage
at java.security.Signature.initVerify(Signature.java:490)
at sun.security.provider.certpath.OCSPResponse.verifyResponse(OCSPResponse.java:524)
... 21 more

I've tried several different application that were signed with different certificates and always the same result. These application all work on other platforms (windows, linux, solaris) and on the OS X with Java 6. Something seems to be broken in 7u6 for OS X. Has anyone else seen this?

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
namtuan
Offline
Joined: 2012-07-24

It seems on MacOS, OCSP validation should be explicitly enabled with deployment.properties entry:
deployment.security.validation.ocsp=true
or using Java control panel System Preferences > Other > Java > Advanced > "Enable online certificate validation".

bernie
Offline
Joined: 2004-06-28

Thanks for the workaround. It is strange that enabling OCSP is not required on other platforms. Manually enabling OCSP is also likely to be a hassle for our end users. But now I can do some other testing with Java 7 on Macs.

mschorn
Offline
Joined: 2012-08-24

Probably this is not only a OS X problem. I have the same issue on Win 7 (64Bit) with JRE 1.7.0u6 (64Bit). Enabling OCSP works here too.

Best wishes,
Michael

s_kovatch
Offline
Joined: 2008-10-22

As of 7u10, this appears to be working now with the default settings. It's hard to know if the application changed or if we fixed something along the way in 7u7 - 7u10.