如何检查证书过期后Java Web Start应用程序是否将继续运行 [英] How to check if Java Web Start app will continue working after certificate expires
问题描述
我们用来自CA(Thawte)的代码签名证书签署了Java Web Start应用程序.签名带有时间戳(我们将-tca https://timestamp.geotrust.com/tsa 参数传递给证书过期后有效).目前,当证书有效时,该应用程序可以完美运行.但是,当我们尝试更改本地时间以模拟证书的过期时间时,该应用将无法启动.我们收到以下异常:
We signed our Java Web Start app with a code signing certificate from CA (Thawte). The signature is timestamped (we pass the -tca https://timestamp.geotrust.com/tsa argument to the jarsigner tool) to be valid after the certificate expires. At present, when the certificate is valid, the app works perfect. But when we try to change the local time forward to simulate expiration of the certificate then the app won't start. We get following exception:
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Responder's certificate not within the validity period
at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGrantedInt(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.security.cert.CertPathValidatorException: Responder's certificate not within the validity period
at sun.security.provider.certpath.OCSPResponse.verify(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at com.sun.deploy.security.RevocationChecker$2.run(Unknown Source)
at com.sun.deploy.security.RevocationChecker$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.RevocationChecker.doPrivilegedOCSPCheck(Unknown Source)
... 20 more
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu Dec 17 00:59:59 CET 2015
at sun.security.x509.CertificateValidity.valid(Unknown Source)
at sun.security.x509.X509CertImpl.checkValidity(Unknown Source)
... 28 more
该证书的有效日期为2015年9月10日至2017年11月8日.
The certificate is valid from 09.10.2015 to 08.11.2017.
我们尝试使用jarsigner工具验证已签名的JAR.所有文件似乎都带有时间戳:
We tried to verify the signed JAR with jarsigner tool. All files seem to have a timestamp:
[entry was signed on 9.10.15 16:42]
X.509, CN="GEOVAP, spol. s.r.o.", OU=Software, O="GEOVAP, spol. s.r.o.", L=Pardubice, ST=Czech Republic, C=CZ
[certificate is valid from 9.10.15 2:00 to 8.11.17 0:59]
X.509, CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US
[certificate is valid from 10.12.13 1:00 to 10.12.23 0:59]
因此jarsigner输出似乎正确.有人可以确认这真的意味着签名具有时间戳吗?
So the jarsigner output seems to be correct. Could somebody confirm that this really means that the signature has timestamp?
我们注意到,如果仅将本地时间更改几天(3)天,则该应用程序将运行.但是,如果我们更改更多(一周),则会得到例外. CA服务器是否检查客户端本地时间是否有效?如果可以,我们如何模拟证书的到期时间?谢谢.
We noticed that if we change the local time only few (3) days forward then the app works. But if we change it more (week) then we get the exception. Does the CA server check if client local time is valid? If it does how we can simulate the certificate expiration? Thank you.
推荐答案
原因和解决方法
您的异常堆栈跟踪显示使用OCSP(在线证书状态协议)的证书吊销检查失败是因为OCSP响应者的证书在您的测试日期到期(不是因为您的证书).
Your exception stacktrace shows that the certificate revocation check using OCSP (Online Certificate Status Protocol) has failed because of the expiration of the OCSP responder's certificate at your test date (not because of your certificate).
要执行测试,请尝试在Java控制面板中关闭证书吊销检查.
To perform the test try to switch certificate revocation checks off in the Java Control Panel.
还请确保您的证书尚未被永久接受(使用Java控制面板中的还原安全提示").
Also be sure that your certificate has not already been permanently accepted (use "Restore security prompts" in the Java Control Panel).
有关时间戳签名的说明
当前(从j8u66到j8u144之前),带时间戳的签名无法持久地防止签名过期. Web Start不会抱怨证书已过期.但是,它将阻止您的应用程序,并在您的TSA证书过期时显示证书已过期或尚未生效".即使在keytool -printcert输出的Timestamp:部分中可见的TSA证书的失效日期之后,您也可以使用一个日期进行测试.
Currently (before j8u66 up to j8u144) time stamped signing does not durably prevent signatures from expiring. Web Start will not complain about the expiration of your certificate. However, it will block your application and state "certificate has expired or is not yet valid" at the time your TSA's certificate expires. You might test this using a date even after the expiration date of the TSA's certificate visible in the Timestamp: part of the keytool -printcert output.
根据您的应用程序类型,这可能是一个严重的问题.目前,时间戳只给您更多时间,直到应用程序启动被阻止为止.我们在嵌入式环境中面临此问题,并已针对此问题提出了Oracle支持请求.
Depending on your type of application this may be a severe problem. Time stamping currently only gives you some more time until the application start will be blocked. We are facing this problem in an embedded environment and have opened an Oracle support request on this issue.
2016年1月7日更新:Oracle支持的最终答案是没有错误.行为是预期的和有意的.绝对没有任何变化.".这意味着存在并且将没有办法在没有到期的情况下对应用程序进行签名.
Update from 2016-01-07: The final answer from Oracle Support is "There is no bug. The behaviour is expected and intentional. There will definitely be no change.". This means there is and will be no way to sign an application without expiration.
2017年11月6日更新:尽管从Web Start j8u151(经j8u144和j8u151测试,未测试j9)开始,即使在TSA的证书到期日期之后,Oracle从2016年开始的声明仍然有效.如果这是出于故意或错误,则值得怀疑.
Update from 2017-11-06: Despite Oracle's statement from 2016 signatures remain valid even after the TSA's certificate expiration date with Web Start j8u151 (tested with j8u144 and j8u151, j9 not tested). Dubious if this is by intention or by mistake.
这篇关于如何检查证书过期后Java Web Start应用程序是否将继续运行的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
