我们有一个Java Web Start应用程序,使用CA(Thawte)的证书签名。该应用程序分发给数百个客户。他们将它托管在他们的服务器上,通过他们的客户端计算机上的互联网或内联网运行。现在它运作完美。问题在于应用程序没有时间戳签名。当证书过期时,客户会发生什么?他们应该能够启动应用程序吗?如果没有,我们该如何帮助他们?将他们的服务器URL添加到异常站点列表是否有助于他们?当证书过期时,Java Web Start应用程序(无时间戳签名)会发生什么?
我们尝试更改本地时间以假装证书到期。然后由于安全性应用程序被阻止。将URL添加到例外站点列表并没有帮助:
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Response is unreliable: its validity interval is out-of-date
at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
at com.sun.deploy.security.TrustDecider.checkRevocationStatus(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGrantedInt(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
... 19 more
Caused by: java.security.cert.CertPathValidatorException: Response is unreliable: its validity interval is out-of-date
at sun.security.provider.certpath.OCSPResponse.verify(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at com.sun.deploy.security.RevocationChecker$2.run(Unknown Source)
at com.sun.deploy.security.RevocationChecker$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.RevocationChecker.doPrivilegedOCSPCheck(Unknown Source)
... 20 more
我们可以做什么?当然,我们要求Thawte更新我们的证书,并要求我们的客户升级到离职申请。但我们无法涵盖所有这些。当他们问我们时,我们需要为他们提供一些快速建议。到期时间即将到来,欢迎任何评论。
再次签名,这次带有时间戳,并在您的原始签名到期之前向您的客户提供更新的应用程序。 – jariq
@jariq我们打算这样做,但不可能联系所有客户。我们不知道我们的应用程序在哪里运行。它是软件包。我们开发它,将其出售给系统集成商,并将它安装在最终用户的网站上。 – stepand76