IOE causes failure in com.sun.deploy.security.RevocationChecker.checkOCSP from 7u25 and up

Matthew Hall mhall at mhcomputing.net
Mon Aug 5 20:34:28 UTC 2013


Sean,

Thanks for agreeing to assist us. I'm working with my team to acquire the 
debug log, and some permission from our customer to provide the packet capture 
we were given, as soon as possible.

One thing I didn't explain so well in my email... for us the problem happened 
when a firewall blocked the OCSP traffic. I suspect this might have caused the 
PEM / DER decoding logic to raise the IOE.

Matthew.

On Mon, Aug 05, 2013 at 01:12:01PM -0700, Sean Mullan wrote:
> Hi,
> 
> I will need some more information in order to debug this, preferably
> the certificate chain - is that something you can email to me?
> 
> Otherwise, you can enable the certpath debugging you mention below
> in the Java Contol Panel. Go to the Java tab, and add it to the
> Runtime Parameters of the JRE that you are using. Then email me the
> log file if possible.
> 
> -Djava.security.debug=certpath
> 
> Thanks,
> Sean
> 
> On 08/05/2013 11:33 AM, Matthew Hall wrote:
> >We have a customer that is seeing the following exception in JDK7u25 after
> >revocation checking was enabled by default:
> >
> >java.security.cert.CertificateException:
> >java.security.cert.CertPathValidatorException: java.io.IOException:
> >DerInputStream.getLength(): lengthTag=127, too big.
> >     at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
> >     at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
> >     at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
> >     at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
> >     at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
> >Caused by: java.security.cert.CertPathValidatorException: java.io.IOException:
> >DerInputStream.getLength(): lengthTag=127, too big.
> >     at sun.security.provider.certpath.OCSP.check(Unknown Source)
> >     at sun.security.provider.certpath.OCSP.check(Unknown Source)
> >     at sun.security.provider.certpath.OCSP.check(Unknown Source)
> >     ... 35 more
> >Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
> >     at sun.security.util.DerInputStream.getLength(Unknown Source)
> >     at sun.security.util.DerValue.init(Unknown Source)
> >     at sun.security.util.DerValue.<init>(Unknown Source)
> >     at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
> >     ... 38 more
> >
> >However this com.sun.deploy.* code doesn't seem to be part of OpenJDK or
> >IcedTea, so it's not possible for the community to recompile it with symbols,
> >debug it, and find the cause.
> >
> >I did notice, in the code for sun.security.provider.certpath.OCSP.check which
> >is available, I could see a way to get some logs from part of this code:
> >
> >private static final Debug debug = Debug.getInstance("certpath");
> >
> >But I haven't had a chance to try that at the customer who found the issue.
> >
> >I suspect that the code reacts poorly if it sees unexpected characters in
> >blocked OCSP sockets, but I can't tell without being able to read checkOCSP to
> >see what it's really doing in there. Can anyone take a look?
> >
> >Thanks,
> >Matthew.
> >
> 



More information about the security-dev mailing list