Details
-
Bug
-
Status: Closed
-
P3
-
Resolution: Incomplete
-
8u5
-
None
-
x86
-
windows_7
Description
FULL PRODUCT VERSION :
java version "1.8.0_05"
Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
Java HotSpot(TM) Client VM (build 25.5-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Windows 7
A DESCRIPTION OF THE PROBLEM :
JRE 8 U5 does not run applets contained in JAR files which were timestamped by a trusted TSA and signed by a valid code signing certificate, after the expiration of the code signing certificate.
REGRESSION. Last worked in version 7u60
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) I build an applet .jar file and sign it with a valid certificate, giving a "-tsa https://timestamp.geotrust.com/tsa" argument. The certificate is issued by Thawte, and expires June 27, 2014.
2) I verify that this applet works under default Java Control Panel security slider settings, with both JRE 7 U60 and JRE 8 U5.
3) I shut down the browser (Firefox, IE, Chrome - doesn't change the result), set the client system Date to June 30, bring the browser back up and navigate to the page with the applet.
PROBLEM: JRE 8 U5 fails to load the applet, giving an error "Failed to validate certificate. The application will not be executed.". This problem occurs even if I set the Java Control Panel slider to Medium, which claims "All Java applications will be allowed to run after presenting a security prompt".
The problem goes away if I remove the client PC's connectivity to the public internet, only allowing it to connect to the server hosting the applet. It returns if I restore the client PC's connectivity to the public internet.
The problem also goes away if I restore the client PC's date setting to the current (within the validity of the signing key) date.
JRE 7 U60 woks correctly - the time stamped applet is allowed to execute after the expiration of the code signing certificate.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
If I time stamp (using Geotrust) and sign a JAR with a valid Thawte-issued code signing certificate then that JAR should continue to work after the expiration of the code signing certificate - that is the entire point of the time stamp.
ACTUAL -
If I time stamp (using Geotrust) and sign a JAR with a valid Thawte-issued code signing certificate then that JAR does not continue to work after the expiration of the code signing certificate.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Not applicable.
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Disconnect the client PC from the public internet (which is not, really, a valid workaround for users!).
java version "1.8.0_05"
Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
Java HotSpot(TM) Client VM (build 25.5-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Windows 7
A DESCRIPTION OF THE PROBLEM :
JRE 8 U5 does not run applets contained in JAR files which were timestamped by a trusted TSA and signed by a valid code signing certificate, after the expiration of the code signing certificate.
REGRESSION. Last worked in version 7u60
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) I build an applet .jar file and sign it with a valid certificate, giving a "-tsa https://timestamp.geotrust.com/tsa" argument. The certificate is issued by Thawte, and expires June 27, 2014.
2) I verify that this applet works under default Java Control Panel security slider settings, with both JRE 7 U60 and JRE 8 U5.
3) I shut down the browser (Firefox, IE, Chrome - doesn't change the result), set the client system Date to June 30, bring the browser back up and navigate to the page with the applet.
PROBLEM: JRE 8 U5 fails to load the applet, giving an error "Failed to validate certificate. The application will not be executed.". This problem occurs even if I set the Java Control Panel slider to Medium, which claims "All Java applications will be allowed to run after presenting a security prompt".
The problem goes away if I remove the client PC's connectivity to the public internet, only allowing it to connect to the server hosting the applet. It returns if I restore the client PC's connectivity to the public internet.
The problem also goes away if I restore the client PC's date setting to the current (within the validity of the signing key) date.
JRE 7 U60 woks correctly - the time stamped applet is allowed to execute after the expiration of the code signing certificate.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
If I time stamp (using Geotrust) and sign a JAR with a valid Thawte-issued code signing certificate then that JAR should continue to work after the expiration of the code signing certificate - that is the entire point of the time stamp.
ACTUAL -
If I time stamp (using Geotrust) and sign a JAR with a valid Thawte-issued code signing certificate then that JAR does not continue to work after the expiration of the code signing certificate.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Not applicable.
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Disconnect the client PC from the public internet (which is not, really, a valid workaround for users!).
Attachments
Issue Links
- relates to
-
-
- Closed
-