JDK-7199864 : Remove JNLP signed extension OCSP revocation check from TrustDecider
Type:Enhancement
Component:deploy
Sub-Component:deployment_toolkit
Affected Version:7
Priority:P2
Status:Closed
Resolution:Fixed
OS:generic
CPU:generic
Submitted:2012-09-20
Updated:2013-09-12
Resolved:2012-10-16
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed. Resolved: Release in which this issue/RFE has been resolved. Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
SUGGESTED FIX
Remove this code from TrustDecider:
// If this is a extension installation,
// and it is signed by valid and trusted certificate
// but not pre-trusted certificate
// and does not perform a unsecure operation
// and certificate is not expired (discard timestamping)
// We will turn on ocsp check
if (!rootCANotValid && (certValidityNoTS == CertificateStatus.VALID) &&
(ainfo.getType() == 3) && !jnlpFlag && !isTrustedExtension) {
// we will turn on OCSP only for the first time
if (!permanentStore.contains(certArr[0])) {
ocspEECheckLocal = true;
Trace.msgSecurityPrintln(
"trustdecider.check.extensioninstall.on");
}
}
and this code:
// Check the revocation status on a best-effort basis of EE cert via
// OCSP for the following condition:
// 1. OCSP has not been previously checked
// 2. OCSP responder is specified
// 3. it is not a self-signed certificate. (cert length > 1)
// 4. Certificate is valid (and unexpired - discard timestamp)
// 5. Root CA is trusted
// 6. This is not pre-trusted certificate
// 7. Network failures (timeouts, offline, etc) are OK.
// By default, only EE certs of extensions are checked. All
// EE certs can be checked by setting the
// deployment.security.validation.ocsp.publisher property to true.
if (ocspEECheckLocal && !ocspCheckLocal && certArrLen > 1 &&
!isTrustedExtension && !rootCANotValid &&
(certValidityNoTS == CertificateStatus.VALID)) {
doCheckRevocationStatus(certArr, params.getDate());
} else {
Trace.msgSecurityPrintln("trustdecider.check.ocsp.ee.off");
}