Sean,
Thanks for agreeing to assist us. I'm working with my team to acquire the
debug log, and some permission from our customer to provide the packet capture
we were given, as soon as possible.
One thing I didn't explain so well in my email... for us the problem happened
when a firewall blocked the OCSP traffic. I suspect this might have caused the
PEM / DER decoding logic to raise the IOE.
Matthew.
On Mon, Aug 05, 2013 at 01:12:01PM -0700, Sean Mullan wrote:
> Hi,
>
> I will need some more information in order to debug this, preferably
> the certificate chain - is that something you can email to me?
>
> Otherwise, you can enable the certpath debugging you mention below
> in the Java Contol Panel. Go to the Java tab, and add it to the
> Runtime Parameters of the JRE that you are using. Then email me the
> log file if possible.
>
> -Djava.security.debug=certpath
>
> Thanks,
> Sean
>
> On 08/05/2013 11:33 AM, Matthew Hall wrote:
> >We have a customer that is seeing the following exception in JDK7u25 after
> >revocation checking was enabled by default:
> >
> >java.security.cert.CertificateException:
> >java.security.cert.CertPathValidatorException: java.io.IOException:
> >DerInputStream.getLength(): lengthTag=127, too big.
> > at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
> > at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
> > at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown
> > Source)
> > at com.sun.deploy.security.TrustDecider.getValidationState(Unknown
> > Source)
> > at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
> >Caused by: java.security.cert.CertPathValidatorException:
> >java.io.IOException:
> >DerInputStream.getLength(): lengthTag=127, too big.
> > at sun.security.provider.certpath.OCSP.check(Unknown Source)
> > at sun.security.provider.certpath.OCSP.check(Unknown Source)
> > at sun.security.provider.certpath.OCSP.check(Unknown Source)
> > ... 35 more
> >Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=127,
> >too big.
> > at sun.security.util.DerInputStream.getLength(Unknown Source)
> > at sun.security.util.DerValue.init(Unknown Source)
> > at sun.security.util.DerValue.<init>(Unknown Source)
> > at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
> > ... 38 more
> >
> >However this com.sun.deploy.* code doesn't seem to be part of OpenJDK or
> >IcedTea, so it's not possible for the community to recompile it with symbols,
> >debug it, and find the cause.
> >
> >I did notice, in the code for sun.security.provider.certpath.OCSP.check which
> >is available, I could see a way to get some logs from part of this code:
> >
> >private static final Debug debug = Debug.getInstance("certpath");
> >
> >But I haven't had a chance to try that at the customer who found the issue.
> >
> >I suspect that the code reacts poorly if it sees unexpected characters in
> >blocked OCSP sockets, but I can't tell without being able to read checkOCSP
> >to
> >see what it's really doing in there. Can anyone take a look?
> >
> >Thanks,
> >Matthew.
> >
>
