[security-dev 01660]: Re: Code review request: 6923681: Jarsigner crashes during timestamping

Tue Mar 2 01:29:02 PST 2010

You fix looks good. Thanks.

On 02/03/2010 01:03, Max (Weijun) Wang wrote:
> Hi Vinnie
> 
> Turns out it's not related to LDAP at all. Just a small coding error, already confirmed by customer. Please take a review:
> 
>    http://cr.openjdk.java.net/~weijun/6923681/webrev.00
> 
> Bug is:
> 
>    http://bugs.sun.com/view_bug.do?bug_id=6923681
> 
> No reg test. Trivial code update.
> 
> Why hasn't Findbugs noticed it?
> 
> Thanks
> Max
> 
> On Feb 9, 2010, at 5:32 PM, Vincent Ryan wrote:
> 
>> This is an interesting one Max. Our LDAP provider already supports LDAP server
>> discovery (ldap:///). Do you have the offending certificates?
>>
>>
>> On 09/02/2010 09:12, Weijun.Wang at Sun.COM wrote:
>>>
>>> *Change Request ID*: 6923681
>>>
>>> *Synopsis*: Jarsigner crashes during timestamping
>>>
>>> === *Description* ============================================================
>>> FULL PRODUCT VERSION :
>>> java version "1.6.0_18"
>>> Java(TM) SE Runtime Environment (build 1.6.0_18-b07)
>>> Java HotSpot(TM) Client VM (build 16.0-b13, mixed mode, sharing)
>>>
>>> ADDITIONAL OS VERSION INFORMATION :
>>> Microsoft Windows XP [Version 5.1.2600]
>>>
>>> A DESCRIPTION OF THE PROBLEM :
>>> When timestamping a java-jar, the jarsigner crashes with a NullPointerexception.
>>>
>>> The issuing CA of the TSA-certificate has multiple revocation list distribution points. Two of the distribution points start with ldap and do not contain servernames
>>>
>>> URL=ldap:///CN=MY-CA,CN=AAAAAA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ad,DC=oenb,DC=co,DC=at?certificateRevocationList?base?objectClass=cRLDistributionPoint.
>>>
>>> We assume that the absence of the servername is the reason for jarsigner to crash with the null-pointer exception.
>>>
>>> This is the Windows default behaviour when creating certificates.
>>>
>>> STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
>>> Create a Microsoft Windows CA, which has ldap distribution points but no servernames listed.
>>>
>>> Issue a timestamping-certificate from this windows ca. Then try to timestamp some jar with this server.
>>>
>>> EXPECTED VERSUS ACTUAL BEHAVIOR :
>>> EXPECTED -
>>> jarsigner should handle the revocation list distribution points correctly. If at least one distribution point can be reached (like http://xxxx/xxx.crl, the jar should be timestamped correctly.
>>> ACTUAL -
>>> jarsigner crashes.
>>>
>>> ERROR MESSAGES/STACK TRACES THAT OCCUR :
>>> jarsigner error: java.lang.NullPointerException
>>>
>>> REPRODUCIBILITY :
>>> This bug can be reproduced always.
>>>
>>> ---------- BEGIN SOURCE ----------
>>> n/a, just timestamp an arbitrary jar using jarsigned
>>> ---------- END SOURCE ----------
>>>
>>> CUSTOMER SUBMITTED WORKAROUND :
>>> create an AD-CA that includes servernames in all revocation list distribution points
>>>
>>> *** (#1 of 1): 2010-02-05 09:31:33 GMT+00:00 nelson.dcosta at sun.com
> 