IOE causes failure in com.sun.deploy.security.RevocationChecker.checkOCSP from 7u25 and up

Sean Mullan sean.mullan at oracle.com
Mon Aug 5 20:12:01 UTC 2013


Hi,

I will need some more information in order to debug this, preferably the 
certificate chain - is that something you can email to me?

Otherwise, you can enable the certpath debugging you mention below in 
the Java Contol Panel. Go to the Java tab, and add it to the Runtime 
Parameters of the JRE that you are using. Then email me the log file if 
possible.

-Djava.security.debug=certpath

Thanks,
Sean

On 08/05/2013 11:33 AM, Matthew Hall wrote:
> We have a customer that is seeing the following exception in JDK7u25 after
> revocation checking was enabled by default:
>
> java.security.cert.CertificateException:
> java.security.cert.CertPathValidatorException: java.io.IOException:
> DerInputStream.getLength(): lengthTag=127, too big.
>      at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
>      at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
>      at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
>      at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
>      at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
> Caused by: java.security.cert.CertPathValidatorException: java.io.IOException:
> DerInputStream.getLength(): lengthTag=127, too big.
>      at sun.security.provider.certpath.OCSP.check(Unknown Source)
>      at sun.security.provider.certpath.OCSP.check(Unknown Source)
>      at sun.security.provider.certpath.OCSP.check(Unknown Source)
>      ... 35 more
> Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
>      at sun.security.util.DerInputStream.getLength(Unknown Source)
>      at sun.security.util.DerValue.init(Unknown Source)
>      at sun.security.util.DerValue.<init>(Unknown Source)
>      at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
>      ... 38 more
>
> However this com.sun.deploy.* code doesn't seem to be part of OpenJDK or
> IcedTea, so it's not possible for the community to recompile it with symbols,
> debug it, and find the cause.
>
> I did notice, in the code for sun.security.provider.certpath.OCSP.check which
> is available, I could see a way to get some logs from part of this code:
>
> private static final Debug debug = Debug.getInstance("certpath");
>
> But I haven't had a chance to try that at the customer who found the issue.
>
> I suspect that the code reacts poorly if it sees unexpected characters in
> blocked OCSP sockets, but I can't tell without being able to read checkOCSP to
> see what it's really doing in there. Can anyone take a look?
>
> Thanks,
> Matthew.
>




More information about the security-dev mailing list