We signed our Java Web Start app with a code signing certificate from CA (Thawte). The signature is timestamped (we pass the -tca https://timestamp.geotrust.com/tsa argument to the jarsigner tool) to be valid after the certificate expires. At present, when the certificate is valid, the app works perfect. But when we try to change the local time forward to simulate expiration of the certificate then the app won't start. We get following exception:
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Responder's certificate not within the validity period
at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGrantedInt(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.security.cert.CertPathValidatorException: Responder's certificate not within the validity period
at sun.security.provider.certpath.OCSPResponse.verify(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at com.sun.deploy.security.RevocationChecker$2.run(Unknown Source)
at com.sun.deploy.security.RevocationChecker$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.RevocationChecker.doPrivilegedOCSPCheck(Unknown Source)
... 20 more
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu Dec 17 00:59:59 CET 2015
at sun.security.x509.CertificateValidity.valid(Unknown Source)
at sun.security.x509.X509CertImpl.checkValidity(Unknown Source)
... 28 more
The certificate is valid from 09.10.2015 to 08.11.2017.
We tried to verify the signed JAR with jarsigner tool. All files seem to have a timestamp:
[entry was signed on 9.10.15 16:42]
X.509, CN="GEOVAP, spol. s.r.o.", OU=Software, O="GEOVAP, spol. s.r.o.", L=Pardubice, ST=Czech Republic, C=CZ
[certificate is valid from 9.10.15 2:00 to 8.11.17 0:59]
X.509, CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US
[certificate is valid from 10.12.13 1:00 to 10.12.23 0:59]
So the jarsigner output seems to be correct. Could somebody confirm that this really means that the signature has timestamp?
We noticed that if we change the local time only few (3) days forward then the app works. But if we change it more (week) then we get the exception. Does the CA server check if client local time is valid? If it does how we can simulate the certificate expiration? Thank you.
7204
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
