jogamp jogl

Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

classic Classic list List threaded Threaded
30 messages Options
12
Xerxes Rånby
Reply | Threaded
Open this post in threaded view
|

Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

Xerxes Rånby
I tested the JogAmp RC10 Applets on a Windows 7 machine with the latest Java 7 update 7 installed and was greeted by this InvalidKeyExcetion on launch. The the sun.plugin2 applet simply refuse to load any of the JogAmp test applets and claim that it is unable to validate the certificate.
JogAmp cert key failure Win 7 java 1.7.0_07-b11
gouessej
Reply | Threaded
Open this post in threaded view
|

Re: Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

gouessej
Administrator
Hi

The solution is here and works for all OS despite the title:
http://www.java.net/forum/topic/jdk/java-se-snapshots-project-feedback/os-x-jdk-7u6-will-not-run-signed-jnlp-apps
Julien Gouesse | Personal blog | Website
Xerxes Rånby
Reply | Threaded
Open this post in threaded view
|

Re: Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

Xerxes Rånby
Thank you gouessej!

Enabeling online verification of certificates in the java control panel did fix this issue.
Spot on!

Cheers
Xerxes
Sven Gothel
Reply | Threaded
Open this post in threaded view
|

Re: Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

Sven Gothel
Administrator
On 09/11/2012 12:35 PM, Xerxes Rånby [via jogamp] wrote:
> Thank you gouessej!
>
> Enabeling online verification of certificates in the java control panel did
> fix this issue.
> Spot on!

wow :)

now waiting for the day when Oracle buries Java online 'features' altogether :)

~Sven



signature.asc (907 bytes) Download Attachment
Sven Gothel
Reply | Threaded
Open this post in threaded view
|

Re: Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

Sven Gothel
Administrator
In reply to this post by Xerxes Rånby
On 09/11/2012 02:47 PM, Sven Gothel wrote:

> On 09/11/2012 12:35 PM, Xerxes Rånby [via jogamp] wrote:
>> Thank you gouessej!
>>
>> Enabeling online verification of certificates in the java control panel did
>> fix this issue.
>> Spot on!
>
> wow :)
>
> now waiting for the day when Oracle buries Java online 'features' altogether :)
>
> ~Sven
>
Just realized that this must be the new 'click to crash' feature :)

The impact is that the general user is not only bothered with a 'click to
play' button by the browser, but also that Oracle's 'official' JVM doesn't do
any Applet w/ other 3rd party signed stuff per default.

None of the vulnerabilities are actually about code signing itself.

~Sven



signature.asc (907 bytes) Download Attachment
gouessej
Reply | Threaded
Open this post in threaded view
|

Re: Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

gouessej
Administrator
Sven Gothel wrote
On 09/11/2012 02:47 PM, Sven Gothel wrote:
> On 09/11/2012 12:35 PM, Xerxes Rånby [via jogamp] wrote:
>> Thank you gouessej!
>>
>> Enabeling online verification of certificates in the java control panel did
>> fix this issue.
>> Spot on!
>
> wow :)
>
> now waiting for the day when Oracle buries Java online 'features' altogether :)
>
> ~Sven
>

Just realized that this must be the new 'click to crash' feature :)

The impact is that the general user is not only bothered with a 'click to
play' button by the browser, but also that Oracle's 'official' JVM doesn't do
any Applet w/ other 3rd party signed stuff per default.

None of the vulnerabilities are actually about code signing itself.

~Sven
What do you mean exactly? Will end users be forever forced to enable online certificate validation manually? I thought that it was just a temporary problem that would be fixed later...
Julien Gouesse | Personal blog | Website
gouessej
Reply | Threaded
Open this post in threaded view
|

Re: Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

gouessej
Administrator
This post was updated on .
In reply to this post by Xerxes Rånby
I have just written a bug report about this problem:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7197652
Julien Gouesse | Personal blog | Website
gouessej
Reply | Threaded
Open this post in threaded view
|

Re: Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

gouessej
Administrator
In reply to this post by Sven Gothel
It doesn't concern all signed applications / applets, does it? I can still run TUER with Java 1.7 update 7 under Cent OS Linux.
Julien Gouesse | Personal blog | Website
Sven Gothel
Reply | Threaded
Open this post in threaded view
|

Re: Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

Sven Gothel
Administrator
In reply to this post by gouessej
On 09/11/2012 03:54 PM, gouessej [via jogamp] wrote:

>     Sven Gothel wrote
>     On 09/11/2012 02:47 PM, Sven Gothel wrote:
>     > On 09/11/2012 12:35 PM, Xerxes Rånby [via jogamp] wrote:
>     >> Thank you gouessej!
>     >>
>     >> Enabeling online verification of certificates in the java control panel
>     did
>     >> fix this issue.
>     >> Spot on!
>     >
>     > wow :)
>     >
>     > now waiting for the day when Oracle buries Java online 'features'
>     altogether :)
>     >
>     > ~Sven
>     >
>
>     Just realized that this must be the new 'click to crash' feature :)
>
>     The impact is that the general user is not only bothered with a 'click to
>     play' button by the browser, but also that Oracle's 'official' JVM doesn't do
>     any Applet w/ other 3rd party signed stuff per default.
>
>     None of the vulnerabilities are actually about code signing itself.
>
>     ~Sven
>
> What do you mean exactly? Will end users be forever forced to enable online
> certificate validation manually? I thought that it was just a temporary
> problem that would be fixed later...
I don't know [about Oracle's future plans] .. just given a provocative
response to a phenomenon reported here.

Iff this is the new way of doing things in Oracle's JRE,
then it would be a lockout of 3rd party tools under certain deployment
situations (read: JNLP here .. as reported).
But again .. I don't know.

~Sven



signature.asc (907 bytes) Download Attachment
gouessej
Reply | Threaded
Open this post in threaded view
|

Re: Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

gouessej
Administrator
It does not concern self made certificates but this change is going to hurt Java deployment. The warning is scarier in the latest version of Java (1.7 update 7), the end user has to tick a check box and to click "Run" to launch my game.

My bug report is still not visible :(
Julien Gouesse | Personal blog | Website
gouessej
Reply | Threaded
Open this post in threaded view
|

Re: Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

gouessej
Administrator
In reply to this post by Sven Gothel
My bug report is visible. You can vote for it.
Julien Gouesse | Personal blog | Website
Xerxes Rånby
Reply | Threaded
Open this post in threaded view
|

Re: Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

Xerxes Rånby
Thank you gouessej for adding the bugreport, you bug is being processed.

The first OpenJDK code review is now online on the security-dev mailinglist to address a flaw in the OCSP certificate verification:
http://mail.openjdk.java.net/pipermail/security-dev/2012-October/005646.html - Code review request: 7197652: Impossible to run any signed JNLP applications or applets, OCSP off by default

I guess oracle will re-enable the OCSP, online certificate validation feature, again when the code is fixed.
gouessej
Reply | Threaded
Open this post in threaded view
|

Re: Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

gouessej
Administrator
Thank you for pointing that, I should look at this code to check whether its really fixes our bug.
Julien Gouesse | Personal blog | Website
gouessej
Reply | Threaded
Open this post in threaded view
|

Re: Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

gouessej
Administrator
This post was updated on .
In reply to this post by Xerxes Rånby
I need some help. I would like to check whether this bug only affects trusted certificates. Please can someone try to run my game under Windows 7 and under Mac OS X 10.8.2 with (at least) Oracle Java 1.7 update 7?
http://tuer.sourceforge.net/very_experimental/tuer.jnlp
Julien Gouesse | Personal blog | Website
Sven Gothel
Reply | Threaded
Open this post in threaded view
|

Re: Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

Sven Gothel
Administrator
On 10/29/2012 04:29 PM, gouessej [via jogamp] wrote:
> I need some help. I would like to check whether this bug only affects trusted
> certificates. Please can someone try to run my game under Windows 7 and under
> Mac OS X 10.8.2 with (at least) Oracle Java 1.6 update 7?
> http://tuer.sourceforge.net/very_experimental/tuer.jnlp

I will check your game later tonight or tomorrow w/ our test platforms.

So .. no OSX 10.8.2 check.

Note: Java6 is 6u37 or something, maybe you meant 7u7 ?

~Sven



signature.asc (907 bytes) Download Attachment
gouessej
Reply | Threaded
Open this post in threaded view
|

Re: Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

gouessej
Administrator
You're right, I meant Oracle Java 1.7 update 7. I'm a bit tired. Thank you for the help.
Julien Gouesse | Personal blog | Website
runiter
Reply | Threaded
Open this post in threaded view
|

Re: Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

runiter
I had this problem with my own project and I fixed it by simply resigning all my jar files.

gouessej, if you re-sign every jar file that http://jogamp.org/deployment/archive/rc/v2.0-rc11/jogl-all-awt.jnlp points to it should work.

It'll be great if you could do that because I want to point to your jnlp instead downloading it and all its resources and signing them myself.
Saeid Nourian, Ph.D. Eng. | Graphing Calculator 3D
gouessej
Reply | Threaded
Open this post in threaded view
|

Re: Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

gouessej
Administrator
This is already what I do and it seems to fix the problem under Windows but not under Mac OS X 10.8.2.
Julien Gouesse | Personal blog | Website
runiter
Reply | Threaded
Open this post in threaded view
|

Re: Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

runiter
This post was updated on .
you sure you already done that?
Because even under Windows I cannot run any of your demos here:

http://jogamp.org/jogl-demos/www/

I'm using java version: 1.7.0_09-b05 Java HotSpot(TM) 64-Bit
Saeid Nourian, Ph.D. Eng. | Graphing Calculator 3D
gouessej
Reply | Threaded
Open this post in threaded view
|

Re: Win 7 - 1.7.0_07-b11 - InvalidKeyException - Wrong Key Usage on all applets

gouessej
Administrator
Actually, I have used a self signed certificate for all JARs (both mine and those of JogAmp) since my switch to JOGL 2.0. I pointed to official JOGL extension only when Oracle was still in this project several years ago.
Julien Gouesse | Personal blog | Website
12
Free forum by Nabble Edit this page