证书过期时Java Web Start application (signed without timestamp)会发生什么?
[英]What happens to Java Web Start application (signed without timestamp) when certificate expires?
问题描述
We have a Java Web Start application signed with a certificate from CA (Thawte).
我们有一个 Java Web 使用 CA (Thawte) 的证书签名的启动应用程序。 The application is distributed to the hundreds of customers.该应用程序分发给数百名客户。 They hosted it on their servers a run it over the internet or intranet on their client computers.他们将它托管在他们的服务器上,然后在他们的客户端计算机上通过 Internet 或 Intranet 运行它。 Now it works perfect.现在它完美无缺。 Problem is that the application is signed without timestamp.问题是应用程序是在没有时间戳的情况下签名的。 What happens to customers when the certificate expires?证书过期后客户会怎样? Should they be able to start the app?他们应该能够启动应用程序吗? If not, how we can help them?如果没有,我们如何帮助他们? Does adding their server URL to the exception site list help them?将他们的服务器 URL 添加到异常站点列表对他们有帮助吗?
We tried to change the local time to pretend certificate expiration.我们试图更改本地时间以假装证书过期。 Then application is blocked due to security.然后由于安全原因,应用程序被阻止。 Adding the URL to the exception site list doesn't help:将 URL 添加到异常站点列表没有帮助:
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Response is unreliable: its validity interval is out-of-date
at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGrantedInt(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
... 19 more
Caused by: java.security.cert.CertPathValidatorException: Response is unreliable: its validity interval is out-of-date
at sun.security.provider.certpath.OCSPResponse.verify(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at com.sun.deploy.security.RevocationChecker$2.run(Unknown Source)
at com.sun.deploy.security.RevocationChecker$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.RevocationChecker.doPrivilegedOCSPCheck(Unknown Source)
... 20 more
What we can do?我们能做什么? Sure, we asked Thawte for renew our certificate and going to ask our customers for upgrade to resigned application.当然,我们要求 Thawte 更新我们的证书,并要求我们的客户升级到已辞职的应用程序。 But we cannot cover all of them.但我们无法涵盖所有这些。 We need to have some quick advice for them when they ask us.当他们问我们时,我们需要为他们提供一些快速的建议。 The expiration time is coming so any comments are welcome.到期时间快到了,欢迎大家发表意见。
2 个解决方案
解决方案1
6 已采纳 2015-10-30 10:29:07
What happens? 怎么了?
WebStart's behavior highly depends on the JRE version it belongs to. WebStart的行为在很大程度上取决于它所属的JRE版本。
These are our test results with an application signed with a valid certificate from an official certificate autority but without timestamping after the certificate expires. 这些是我们的测试结果,其中的应用程序带有来自官方证书颁发机构的有效证书签名,但证书过期后没有时间戳。 Tested on Windows 7 with x64 JREs by directly executing javaws.exe in different versions and changing the system clock for simulation: 通过在不同版本中直接执行javaws.exe并更改系统时钟以进行仿真,在带有x64 JRE的Windows 7上进行了测试:
- <= 7u21: warning message (can be hidden with check box) <= 7u21:警告消息(可以用复选框隐藏)
- 7u25 - 7u40: WebStart is broken in different ways, changing behavior in every update release, do not use anyway 7u25-7u40:WebStart以不同的方式损坏,在每个更新版本中更改行为,无论如何都不要使用
- 7u45 to 7u51: application is blocked at security setting "very high", warning message at setting "high" (can be hidden with check box) 7u45至7u51:应用程序在安全设置“非常高”下被阻止,警告消息在“高”设置下(可以通过复选框隐藏)
- >= 7u55: application is blocked > = 7u55:应用程序被阻止
- >= 8u0: application is blocked > = 8u0:应用程序被阻止
We noticed that WebStart tries to use the most up-to-date version currently installed on the system when starting from the browser. 我们注意到从浏览器启动时,WebStart尝试使用系统上当前安装的最新版本。 Changing the application for JNLP files in the browser is not sufficient (Firefox). 在浏览器中更改JNLP文件的应用程序是不够的(Firefox)。 There is a lookup strategy using the JREs and JDKs installed in the Programm Files\\Java folder. 有一种使用安装在Programm Files\\Java文件夹中的JRE和JDK的查找策略。 Calling javaws.exe from the command line or a Windows link really executes the version to test. 从命令行或Windows链接调用javaws.exe实际上会执行要测试的版本。 You can see the version in the Java Console (successful start) or the Task Manager command line column (delegates to a jp2launcher.exe of another version). 您可以在Java控制台(成功启动)或“任务管理器”命令行列(代表另一个版本的jp2launcher.exe )中jp2launcher.exe该版本。
Workaround 解决方法
- For us the exception site list does work (tested with j8u66). 对我们来说,例外站点列表确实有效(已通过j8u66测试)。 However, it seems to be tricky to enter the right URL. 但是,输入正确的URL似乎很棘手。 We think it has to be exactly the same URL as used in the JNLP file URL. 我们认为它必须与JNLP文件URL中使用的URL完全相同。 When the JNLP URL is
http://myhost:12345/my/app/test.jnlpthe exception sitehttp://myhost:12345/does work.当JNLP URL为http://myhost:12345/my/app/test.jnlp,异常站点http://myhost:12345/可以正常工作。 Using the IP address ofmyhostinstead ormyhost.in-my-domain.comwill not match.使用myhost或myhost.in-my-domain.com的IP地址将不匹配。 See http://java.com/de/download/faq/exception_sitelist.xml .请参阅http://java.com/de/download/faq/exception_sitelist.xml 。 - Depending on your type of application creating a Windows desktop link to a j7u21
...\\javaws.exe <jnlp-url>may be a way out.根据您的应用程序类型,创建到j7u21 ...\\javaws.exe <jnlp-url>的Windows桌面链接可能是一种解决方法。
Signing with time stamping and a warning 带时间戳签名和警告
Oracle states that signing with time stamping from an official time stamping authority (TSA) will prevent signatures from expiring. Oracle声明,从官方时间戳机构(TSA)进行时间戳签名将防止签名过期。 This allows you to prevent the problem in future releases and to deliver update releases. 这使您可以防止将来的发行版中出现问题,并提供更新发行版。
Please note this warning: WebStart is happy with the time stamped signatures even after expiration of the signing certificate. 请注意以下警告:即使签名证书已过期,WebStart也对带有时间戳的签名感到满意。 However, it will block the application and state "certificate has expired or is not yet valid" at the time your TSA's certificate expires. 但是,它将在TSA证书过期时阻止该应用程序并显示“证书已过期或尚未生效”。 In our tests this is at 2020-03-16 using the TSA http://tsa.starfieldtech.com/ . 在我们的测试中,这是在2020-03-16使用TSA http://tsa.starfieldtech.com/ 。 You can see this expiration date following Timestamp: in the output of keytool -printcert -jarfile <your-signed.jar> . 您可以在keytool -printcert -jarfile <your-signed.jar>的输出中看到Timestamp:之后的到期日期。
Time stamping only gives you some more years on the clock of this time bomb. 时间戳记只能使您在此定时炸弹的时钟上再保留几年。 Depending on your type of application this may not be a problem, but for embedded applications in closed environments that have to run for the next 10 years this is a killer. 根据您的应用程序类型,这可能不是问题,但是对于必须在未来10年内运行的封闭环境中的嵌入式应用程序,这是一个杀手er。 (tested with j8u66) (使用j8u66测试)
Update from 2016-01-07: The final answer from Oracle Support concerning this issue is "There is no bug. The behaviour is expected and intentional. There will definitely be no change.". 从2016年1月7日开始更新:Oracle支持机构对此问题的最终答案是“没有错误。此行为是预期的和有意的。绝对没有任何变化。” This means there is and will be no way to sign an application without expiration. 这意味着存在并且将没有方法在没有到期的情况下对应用程序进行签名。
解决方案2
0 2022-09-27 08:38:21
I just want to add that the exception you see when changing the computer time, has no correlation to the expiry of the certificate.我只想补充一点,您在更改计算机时间时看到的异常与证书的到期无关。 OCSP is a protocol for calling a server if a certificate is revoked or not. OCSP 是一种用于在证书被撤销与否时调用服务器的协议。 There is a time in the OCSP response and if your computer clock is more than 900 secs from the responded time, then this exception happens. OCSP 响应中有一个时间,如果您的计算机时钟距离响应时间超过 900 秒,则会发生此异常。 This exception will not happen if clock is not manipulated.如果不操纵时钟,则不会发生此异常。
This snippet is from 1.8u221 JRE sun.security.provider.certpath.OCSPResponse singleResponse has the response from OCSP server.此片段来自 1.8u221 JRE sun.security.provider.certpath.OCSPResponse singleResponse 具有来自 OCSP 服务器的响应。
/* 591 */ long l = (paramDate == null) ? System.currentTimeMillis() : paramDate.getTime();
/* 592 */ Date date1 = new Date(l + MAX_CLOCK_SKEW);
/* 593 */ Date date2 = new Date(l - MAX_CLOCK_SKEW);
/* 594 */ for (SingleResponse singleResponse : this.singleResponseMap.values()) {
/* 595 */ if (debug != null) {
/* 596 */ String str = "";
/* 597 */ if (singleResponse.nextUpdate != null) {
/* 598 */ str = " until " + singleResponse.nextUpdate;
/* */ }
/* 600 */ debug.println("OCSP response validity interval is from " + singleResponse
/* 601 */ .thisUpdate + str);
/* 602 */ debug.println("Checking validity of OCSP response on: " + new Date(l));
/* */ }
/* */
/* */
/* */
/* */
/* */
/* 609 */ if (date1.before(singleResponse.thisUpdate) || date2
/* 610 */ .after(
/* 611 */ (singleResponse.nextUpdate != null) ? singleResponse.nextUpdate : singleResponse.thisUpdate))
/* */ {
/* 613 */ throw new CertPathValidatorException("Response is unreliable: its validity interval is out-of-date");
/* */ }
/* */ }
/* */ }
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.