JDK-8023324 : With expired or selfsigned DeploymentRuleSet, not hint is provied in JCP Rule Set dialog.
  • Type: Bug
  • Component: deploy
  • Affected Version: 7u40,8
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2013-08-20
  • Updated: 2015-09-29
  • Resolved: 2015-02-03
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9
8u60 b02Fixed 9Fixed
Description
For now, with the  DeploymentRuleSet signed by expired or self signed cert. No additional warning information is provided in JCP Rule Set dialog. I think this is no good.

steps to reproduce:
1. Download http://sqeweb.us.oracle.com/deployment2/sheldon/webCases/PolicyFileValidation/policy_template/policy_expired.jar 
2. rename it to DeploymentRuleSet.jar and install it.
3. Open JCP->Security -> View the active Deployment Rule Set
4. If the rule set is showed, bug is reproducible.

Since the policy is expired and invalid, the deployment rule set is not active. We should not show the rule set or at least have some warning information.
Comments
crucible review: https://java.se.oracle.com/code/cru/CR-JDK9CLIENT-739
30-01-2015

We removed validation of ruleset jar in JCP due to (a) revocation checking delay, and (b) cases in JCP where network is not configured. It would, however be easy to do lazy verification without revocation checking. We could lazily add verification information to the displayed ruleset file.
06-11-2014

in fix for https://jbs.oracle.com/bugs/browse/JDK-8021217, we decided not to validate the DRS jar from the JCP . This is mainly because proxies are not set up properly, and that failure to reach the OCSP was causing extream delay loading the show DRS dialog. We should implement code in the future to show the dialog with some message such as "verification pending" then verify in the background, and change message to "verification succeeded" or "verification failed".
20-08-2013