IOE causes failure in com.sun.deploy.security.RevocationChecker.checkOCSP from 7u25 and up

Matthew Hall mhall at mhcomputing.net
Mon Aug 5 18:33:57 UTC 2013 

We have a customer that is seeing the following exception in JDK7u25 after 
revocation checking was enabled by default:

java.security.cert.CertificateException: 
java.security.cert.CertPathValidatorException: java.io.IOException: 
DerInputStream.getLength(): lengthTag=127, too big.
    at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
    at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
    at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
    at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
    at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
Caused by: java.security.cert.CertPathValidatorException: java.io.IOException: 
DerInputStream.getLength(): lengthTag=127, too big.
    at sun.security.provider.certpath.OCSP.check(Unknown Source)
    at sun.security.provider.certpath.OCSP.check(Unknown Source)
    at sun.security.provider.certpath.OCSP.check(Unknown Source)
    ... 35 more
Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
    at sun.security.util.DerInputStream.getLength(Unknown Source)
    at sun.security.util.DerValue.init(Unknown Source)
    at sun.security.util.DerValue.<init>(Unknown Source)
    at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
    ... 38 more

However this com.sun.deploy.* code doesn't seem to be part of OpenJDK or 
IcedTea, so it's not possible for the community to recompile it with symbols, 
debug it, and find the cause.

I did notice, in the code for sun.security.provider.certpath.OCSP.check which 
is available, I could see a way to get some logs from part of this code:

private static final Debug debug = Debug.getInstance("certpath");

But I haven't had a chance to try that at the customer who found the issue.

I suspect that the code reacts poorly if it sees unexpected characters in 
blocked OCSP sockets, but I can't tell without being able to read checkOCSP to 
see what it's really doing in there. Can anyone take a look?

Thanks,
Matthew.

More information about the security-dev mailing list