[英]Java signed applet certificate revoked only on mac OSX10.7 (Lion)
I have a signed applet that works fine on windows, Mac <= 10.6, and linux. 我有一个签名的小程序,可以在Windows,Mac <= 10.6和Linux上正常工作。 However, on OSX lion, the signing certificate is revoked.
但是,在OSX Lion上,签署证书被撤销。 Here is the security debug info from the java console:
以下是来自java控制台的安全调试信息:
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading Root CA certificates from from keychain
security: Loaded Root CA certificates from from keychain
security: Validate the certificate chain using CertPath API
security: Obtain certificate collection in Root CA certificate store
security: Obtain certificate collection in Root CA certificate store
security: Obtain certificate collection in Root CA certificate store
security: jpicertstore.cert.getkeystore
security: No timestamping info available
security: Cannot find jurisdiction list file
security: The CRL support is enabled
security: PC Operating Center
security: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.thawte.com/ThawteCodeSigningCA.crl]
]]
security: Thawte Code Signing CA
security: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.thawte.com/ThawtePremiumServerCA.crl]
]]
security: Use CRL setting from certificate
security: The OCSP support is enabled
security: PC Operating Center
security: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.thawte.com]
]
security: This certificate does not have AIA extension
security: Use OCSP setting from certificate
network: Cache entry not found [url: http://crl.thawte.com/ThawtePremiumServerCA.crl, version: null]
network: Connecting http://crl.thawte.com/ThawtePremiumServerCA.crl with proxy=DIRECT
network: Connecting http://crl.thawte.com:80/ with proxy=DIRECT
network: Downloading resource: http://crl.thawte.com/ThawtePremiumServerCA.crl
Content-Length: 181,278
Content-Encoding: null
network: Wrote URL http://crl.thawte.com/ThawtePremiumServerCA.crl to File /Users/koutbo6/Library/Caches/Java/cache/6.0/38/2fb889a6-30a08967-temp
network: Connecting http://ocsp.thawte.com/ with proxy=DIRECT
network: Connecting http://ocsp.thawte.com:80/ with proxy=DIRECT
network: CleanupThread used 990300 us
network: Connecting http://ocsp.thawte.com/ with proxy=DIRECT
network: Connecting http://ocsp.thawte.com:80/ with proxy=DIRECT
security: This certificate has been revoked
Ignored exception: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked
Would appreciate any tips on how to get the signed applet to work on Lion. 非常感谢有关如何让已签名的小程序在Lion上运行的任何提示。
UPDATE: 更新:
here is the serial number for the cert: 28 A9 29 38 64 0D FC 5D 7D 1D 05 CE 7F 1D 81 E0 以下是证书的序列号:28 A9 29 38 64 0D FC 5D 7D 1D 05 CE 7F 1D 81 E0
I noticed the following, on snow leopard, if I go to advanced settings of java preferences and enable "Check certificates for revocation using CRL" I get the same issue as in lion. 我在雪豹上注意到以下内容,如果我进入java偏好设置的高级设置并启用“使用CRL检查证书以进行撤销”,我会得到与Lion相同的问题。
I check lion java preferences and the option was disabled yet the certificate is still revoked 我检查了lion java偏好设置并且该选项已被禁用但证书仍然被撤销
On snow leopard, I disabled the option again and everything works fine 在雪豹上,我再次禁用了选项,一切正常
Maybe Java uses the global preference settings in the "Keychain Access" application? 也许Java使用“Keychain Access”应用程序中的全局首选项设置? This application can be found under Applications > Utilities > Keychain Access.
此应用程序可在Applications> Utilities> Keychain Access下找到。
Default settings indicate: 默认设置表示:
Online Certificate Status Protocol (OCSP): Best attempt
Certificate Revocation List (CSP): Best attempt
Priority: OCSP
You could verify if the application accepts your certificate if you (temporarily) turn OCSP and CRL off. 如果您(暂时)关闭OCSP和CRL,您可以验证应用程序是否接受您的证书。
In any case, you should probably not be using a revoked certificate... :-) 在任何情况下,您可能不应该使用已撤销的证书...... :-)
Have you tried it on a non-lion machine that has never run your applet before? 你有没有在以前从未运行过applet的非狮子机上试过它? Maybe the other machines that you tested with already trust your applet.
也许您测试过的其他机器已经信任您的applet。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.