Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8185244

JRE 8 doesn't run timestamped applets after signing cert expiry

    Details

    • Subcomponent:
    • Introduced In Version:
    • CPU:
      x86_64
    • OS:
      windows_7

      Description

      FULL PRODUCT VERSION :
      jdk 8

      ADDITIONAL OS VERSION INFORMATION :
      Windows

      A DESCRIPTION OF THE PROBLEM :
      java version : jre-8u66-windows-x64

      A DESCRIPTION OF THE PROBLEM :
      JRE 8u66 does not run applets contained in JAR files which were timestamped by a trusted TSA and signed by a valid code signing certificate, after the expiration of the code signing certificate.
      JRE 8U66 fails to load the applet, giving an error "Failed to validate certificate. The application will not be executed.".

      The problem goes away if I remove the client PC's connectivity to the public internet, only allowing it to connect to the server hosting the applet. It returns if I restore the client PC's connectivity to the public internet.

      The problem also goes away if I restore the client PC's date setting to the current (within the validity of the signing key) date.

      JRE 7 woks correctly - the time stamped applet is allowed to execute after the expiration of the code signing certificate but with a warning message saying "The application will run with unrestricted access which may put your computer and personal information at risk. The information provided is unreliable or unknown so it is recommended not to run this application unless you are familiar with its source".

      REPRODUCIBILITY :
      This bug can be reproduced always.

      REGRESSION. Last worked in version 8u121

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1) I build a jar file and sign it with a valid certificate, giving a "-tsa http://timestamp.digicert.com" argument. The expiry date of the certificate used to sign the jars is 15 december 2019
      2) I shut down the browser (IE, Chrome), set the client system Date to Jan 2020, bring the browser back up and navigate to the page with the applet.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      EXPECTED -
      If I time stamp and sign a JAR with a valid Varisign-issued code signing certificate then that JAR should continue to work after the expiration of the code signing certificate - that is the entire point of the time stamp.
      ACTUAL -
      ACTUAL -
      If I time stamp and sign a JAR with a valid Varisign-issued code signing certificate then that JAR does not continue to work after the expiration of the code signing certificate.

      REPRODUCIBILITY :
      This bug can be reproduced always.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                dmarkov Dmitry Markov
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: