IOE causes failure in com.sun.deploy.security.RevocationChecker.checkOCSP from 7u25 and up
Matthew Hall
mhall at mhcomputing.net
Mon Aug 5 18:33:57 UTC 2013
We have a customer that is seeing the following exception in JDK7u25 after
revocation checking was enabled by default:
java.security.cert.CertificateException:
java.security.cert.CertPathValidatorException: java.io.IOException:
DerInputStream.getLength(): lengthTag=127, too big.
at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
Caused by: java.security.cert.CertPathValidatorException: java.io.IOException:
DerInputStream.getLength(): lengthTag=127, too big.
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
... 35 more
Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
at sun.security.util.DerInputStream.getLength(Unknown Source)
at sun.security.util.DerValue.init(Unknown Source)
at sun.security.util.DerValue.<init>(Unknown Source)
at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
... 38 more
However this com.sun.deploy.* code doesn't seem to be part of OpenJDK or
IcedTea, so it's not possible for the community to recompile it with symbols,
debug it, and find the cause.
I did notice, in the code for sun.security.provider.certpath.OCSP.check which
is available, I could see a way to get some logs from part of this code:
private static final Debug debug = Debug.getInstance("certpath");
But I haven't had a chance to try that at the customer who found the issue.
I suspect that the code reacts poorly if it sees unexpected characters in
blocked OCSP sockets, but I can't tell without being able to read checkOCSP to
see what it's really doing in there. Can anyone take a look?
Thanks,
Matthew.
More information about the security-dev
mailing list