JDK-7199864 : Remove JNLP signed extension OCSP revocation check from TrustDecider
  • Type: Enhancement
  • Component: deploy
  • Sub-Component: deployment_toolkit
  • Affected Version: 7
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2012-09-20
  • Updated: 2013-09-12
  • Resolved: 2012-10-16
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8
7u21 b01Fixed 8Fixed
Related Reports
Relates :  
JDK-7198537 - Certificate validation fails with error "Wrong key usage"
Relates :  
JDK-7197652 - Impossible to run any signed JNLP applications or applets, OCSP off by default
Description
See comments.
Comments
Verified with 7u21 b04
24-03-2013
SUGGESTED FIX Remove this code from TrustDecider: // If this is a extension installation, // and it is signed by valid and trusted certificate // but not pre-trusted certificate // and does not perform a unsecure operation // and certificate is not expired (discard timestamping) // We will turn on ocsp check if (!rootCANotValid && (certValidityNoTS == CertificateStatus.VALID) && (ainfo.getType() == 3) && !jnlpFlag && !isTrustedExtension) { // we will turn on OCSP only for the first time if (!permanentStore.contains(certArr[0])) { ocspEECheckLocal = true; Trace.msgSecurityPrintln( "trustdecider.check.extensioninstall.on"); } } and this code: // Check the revocation status on a best-effort basis of EE cert via // OCSP for the following condition: // 1. OCSP has not been previously checked // 2. OCSP responder is specified // 3. it is not a self-signed certificate. (cert length > 1) // 4. Certificate is valid (and unexpired - discard timestamp) // 5. Root CA is trusted // 6. This is not pre-trusted certificate // 7. Network failures (timeouts, offline, etc) are OK. // By default, only EE certs of extensions are checked. All // EE certs can be checked by setting the // deployment.security.validation.ocsp.publisher property to true. if (ocspEECheckLocal && !ocspCheckLocal && certArrLen > 1 && !isTrustedExtension && !rootCANotValid && (certValidityNoTS == CertificateStatus.VALID)) { doCheckRevocationStatus(certArr, params.getDate()); } else { Trace.msgSecurityPrintln("trustdecider.check.ocsp.ee.off"); }
20-09-2012