[security-dev 01659]: Code review request: 6923681: Jarsigner crashes during timestamping
Max (Weijun) Wang
Weijun.Wang at Sun.COM
Tue Mar 2 01:03:04 UTC 2010
Hi Vinnie
Turns out it's not related to LDAP at all. Just a small coding error, already confirmed by customer. Please take a review:
http://cr.openjdk.java.net/~weijun/6923681/webrev.00
Bug is:
http://bugs.sun.com/view_bug.do?bug_id=6923681
No reg test. Trivial code update.
Why hasn't Findbugs noticed it?
Thanks
Max
On Feb 9, 2010, at 5:32 PM, Vincent Ryan wrote:
> This is an interesting one Max. Our LDAP provider already supports LDAP server
> discovery (ldap:///). Do you have the offending certificates?
>
>
> On 09/02/2010 09:12, Weijun.Wang at Sun.COM wrote:
>>
>> *Change Request ID*: 6923681
>>
>> *Synopsis*: Jarsigner crashes during timestamping
>>
>> === *Description* ============================================================
>> FULL PRODUCT VERSION :
>> java version "1.6.0_18"
>> Java(TM) SE Runtime Environment (build 1.6.0_18-b07)
>> Java HotSpot(TM) Client VM (build 16.0-b13, mixed mode, sharing)
>>
>> ADDITIONAL OS VERSION INFORMATION :
>> Microsoft Windows XP [Version 5.1.2600]
>>
>> A DESCRIPTION OF THE PROBLEM :
>> When timestamping a java-jar, the jarsigner crashes with a NullPointerexception.
>>
>> The issuing CA of the TSA-certificate has multiple revocation list distribution points. Two of the distribution points start with ldap and do not contain servernames
>>
>> URL=ldap:///CN=MY-CA,CN=AAAAAA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=oenb,DC=co,DC=at?certificateRevocationList?base?objectClass=cRLDistributionPoint.
>>
>> We assume that the absence of the servername is the reason for jarsigner to crash with the null-pointer exception.
>>
>> This is the Windows default behaviour when creating certificates.
>>
>> STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
>> Create a Microsoft Windows CA, which has ldap distribution points but no servernames listed.
>>
>> Issue a timestamping-certificate from this windows ca. Then try to timestamp some jar with this server.
>>
>> EXPECTED VERSUS ACTUAL BEHAVIOR :
>> EXPECTED -
>> jarsigner should handle the revocation list distribution points correctly. If at least one distribution point can be reached (like http://xxxx/xxx.crl, the jar should be timestamped correctly.
>> ACTUAL -
>> jarsigner crashes.
>>
>> ERROR MESSAGES/STACK TRACES THAT OCCUR :
>> jarsigner error: java.lang.NullPointerException
>>
>> REPRODUCIBILITY :
>> This bug can be reproduced always.
>>
>> ---------- BEGIN SOURCE ----------
>> n/a, just timestamp an arbitrary jar using jarsigned
>> ---------- END SOURCE ----------
>>
>> CUSTOMER SUBMITTED WORKAROUND :
>> create an AD-CA that includes servernames in all revocation list distribution points
>>
>> *** (#1 of 1): 2010-02-05 09:31:33 GMT+00:00 nelson.dcosta at sun.com
More information about the security-dev
mailing list