Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8187355

JRE 8 doesn't run timestamped applets after certificate is expired

XMLWordPrintable

    • x86_64
    • windows_7

      FULL PRODUCT VERSION :
      java version "1.8.0_66"
      Java(TM) SE Runtime Environment (build 1.8.0_66-b17)
      Java HotSpot(TM) 64-Bit Server VM (build 25.66-b17, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      ver windows 7 64 bit

      A DESCRIPTION OF THE PROBLEM :
      JRE 8u66 does not run applets containing JAR files which were timestamped by a trusted TSA and signed by a valid code signing certificate, after the expiration of the code signing certificate.
      JRE 8U66 fails to load the applet, giving an error "Failed to validate certificate. The application will not be executed.".

      The problem goes away if I remove the client PC's connectivity to the public internet, only allowing it to connect to the server hosting the applet. It returns if I restore the client PC's connectivity to the public internet.

      The problem also goes away if I restore the client PC's date setting to the current (within the validity of the signing key) date.

      JRE 7 woks correctly - the time stamped applet is allowed to execute after the expiration of the code signing certificate but with a warning message saying "The application will run with unrestricted access which may put your computer and personal information at risk. The information provided is unreliable or unknown so it is recommended not to run this application unless you are familiar with its source".

      REGRESSION. Last worked in version 8u121

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1) I build a jar file and sign it with a valid certificate, giving a "-tsa http://timestamp.digicert.com" argument. The expiry date of the certificate used to sign the jars is 15 december 2019
      2) I shut down the browser (IE, Chrome), set the client system Date to Jan 2020, bring the browser back up and navigate to the page with the applet.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      If I time stamp and sign a JAR with a valid Varisign-issued code signing certificate then that JAR should continue to work after the expiration of the code signing certificate - that is the entire point of using time stamp.
      ACTUAL -
      If I time stamp and sign a JAR with a valid Varisign-issued code signing certificate then that JAR does not continue to work after the expiration of the code signing certificate.

      REPRODUCIBILITY :
      This bug can be reproduced always.

      CUSTOMER SUBMITTED WORKAROUND :
      The only workaround to the problem is to re-sign the jars every time the certificate used to sign the jars is expired. We want to avoid re-signing the jars until and unless the jars are modified.

            pardesha Pardeep Sharma
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: