0

最近,我们将客户端机器从 Java 1.6 升级到 Java 1.7 update 25,现在遇到了 IE 和 Firefox 的问题。

每次访问由 VeriSign 签名的小程序时都会出现问题。将显示异常:无法验证证书。该应用程序将不会被执行。

java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: java.io.IOException: extra data given to DerValue constructor
    at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
    at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
    at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
    at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
    at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
    at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.getTrustedCodeSources(Unknown Source)
    at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source)
    at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
    at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
    at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
    at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
    at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
    Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
        at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
        ... 34 more
Caused by: java.security.cert.CertPathValidatorException: java.io.IOException: extra data given to DerValue constructor
    at sun.security.provider.certpath.OCSP.check(Unknown Source)
    at sun.security.provider.certpath.OCSP.check(Unknown Source)
    at sun.security.provider.certpath.OCSP.check(Unknown Source)
    ... 35 more
Caused by: java.io.IOException: extra data given to DerValue constructor
    at sun.security.util.DerValue.init(Unknown Source)
    at sun.security.util.DerValue.<init>(Unknown Source)
    at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
    ... 38 more

小程序调试也显示了这一点:

Java Plug-in 10.25.2.17
Using JRE version 1.7.0_25-b17 Java HotSpot(TM) Client VM
User home directory = C:\Users\xxxx
----------------------------------------------------
c:   clear console window
f:   finalize objects on finalization queue
g:   garbage collect
h:   display this help message
l:   dump classloader list
m:   print memory usage
o:   trigger logging
q:   hide console
r:   reload policy configuration
s:   dump system and deployment properties
t:   dump thread list
v:   dump thread stack
x:   clear classloader cache
0-5: set trace level to <n>
----------------------------------------------------
CacheEntry[https://xxx:8181/xxx/lib/plugin-loader.jar]: updateAvailable=true,lastModified=Thu Jul 04 09:32:27 SGT 2013,length=1549
CacheEntry[https://xxx:8181/xxx/lib/xxx-applet.jar]: updateAvailable=true,lastModified=Thu Jul 04 09:32:27 SGT 2013,length=879421
Missing Permissions manifest attribute for: https://xxx:8181/xxx/lib/xxx-applet.jar
Missing Codebase manifest attribute for: https://xxx:8181/xxx/lib/xxx-applet.jar
CacheEntry[http://crl.thawte.com/ThawtePremiumServerCA.crl]: updateAvailable=false,lastModified=Thu Jan 01 07:30:00 SGT 1970,length=2520
CacheEntry[http://crl.thawte.com/ThawteCodeSigningCA.crl]: updateAvailable=false,lastModified=Thu Jan 01 07:30:00 SGT 1970,length=2516

正如 Oracle 的更新所述,我们在 Manifest 文件中添加了属性 Trusted-Library: true 但发生了同样的错误

Trusted-Library: true

我们还尝试将服务器端的运行时从 1.6 更改为 1.7,但无济于事。服务器是玻璃鱼。

4

2 回答 2

1

很可能您的/供应商/公司防火墙禁止访问 ocsp.verisign.com、crl.verisign.com、.. 或类似的,对它们的访问应该在 Java 控制台中可见。最糟糕的是,防火墙提供了自定义的非预期响应,因为 OCSP 协议对 Java(或任何超出允许 URL 的客户端)会混淆 Java。

于 2013-07-19T09:51:33.883 回答
0

Oracle 在其 Java 7 更新 21 版本中引入了安全更新。它弃用了未签名的代码,并为自签名代码引入了新的提示。您需要通过 CA 证书对代码进行签名。请查看 Java 7更新 21更新 25的发行说明

于 2013-07-12T18:01:04.190 回答