Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8047702

JRE 8U5 doesn't run timestamped applets after signing cert expiry

XMLWordPrintable

    • x86
    • windows_7

      FULL PRODUCT VERSION :
      java version "1.8.0_05"
      Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
      Java HotSpot(TM) Client VM (build 25.5-b02, mixed mode)


      ADDITIONAL OS VERSION INFORMATION :
      Windows 7

      A DESCRIPTION OF THE PROBLEM :
      JRE 8 U5 does not run applets contained in JAR files which were timestamped by a trusted TSA and signed by a valid code signing certificate, after the expiration of the code signing certificate.

      REGRESSION. Last worked in version 7u60

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1) I build an applet .jar file and sign it with a valid certificate, giving a "-tsa https://timestamp.geotrust.com/tsa" argument. The certificate is issued by Thawte, and expires June 27, 2014.
      2) I verify that this applet works under default Java Control Panel security slider settings, with both JRE 7 U60 and JRE 8 U5.
      3) I shut down the browser (Firefox, IE, Chrome - doesn't change the result), set the client system Date to June 30, bring the browser back up and navigate to the page with the applet.

      PROBLEM: JRE 8 U5 fails to load the applet, giving an error "Failed to validate certificate. The application will not be executed.". This problem occurs even if I set the Java Control Panel slider to Medium, which claims "All Java applications will be allowed to run after presenting a security prompt".

      The problem goes away if I remove the client PC's connectivity to the public internet, only allowing it to connect to the server hosting the applet. It returns if I restore the client PC's connectivity to the public internet.

      The problem also goes away if I restore the client PC's date setting to the current (within the validity of the signing key) date.

      JRE 7 U60 woks correctly - the time stamped applet is allowed to execute after the expiration of the code signing certificate.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      If I time stamp (using Geotrust) and sign a JAR with a valid Thawte-issued code signing certificate then that JAR should continue to work after the expiration of the code signing certificate - that is the entire point of the time stamp.
      ACTUAL -
      If I time stamp (using Geotrust) and sign a JAR with a valid Thawte-issued code signing certificate then that JAR does not continue to work after the expiration of the code signing certificate.

      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      Not applicable.
      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      Disconnect the client PC from the public internet (which is not, really, a valid workaround for users!).

            Unassigned Unassigned
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: