JDK-8153780 : Deployment: pass timestamp to CertPath code
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P2
  • Status: Closed
  • Resolution: Other
  • Submitted: 2016-04-07
  • Updated: 2016-05-19
  • Resolved: 2016-05-19
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 9
9Resolved
Related Reports
Blocks :  
JDK-8153778 - Implement timestamp check
Description
This is a deployment subtask to pass the timestamp from signed code into the CertPathValidator to be used in timestamp constraint checks. 

Assigning to myself for now until I figure out the best way to do this. Will reassign to deployment team after that.
Comments
Resolved by the deployment team in JDK-8157042.
19-05-2016
The following change should be made to the TrustDecider code: diff -r c23233e7ab49 src/jdk.deploy/share/classes/com/sun/deploy/security/TrustDecider.java --- a/src/jdk.deploy/share/classes/com/sun/deploy/security/TrustDecider.java Mon May 09 13:25:09 2016 +0200 +++ b/src/jdk.deploy/share/classes/com/sun/deploy/security/TrustDecider.java Thu May 12 15:44:32 2016 -0700 @@ -491,7 +491,7 @@ newChain[k] = new X509CertificateWrapper(certArr[k]); } - newChain = v.validate(newChain); + newChain = v.validate(newChain, null, state.timeStampInfo); } catch (CertificateException ce) { if (ce instanceof ValidatorException) { ValidatorException ve = (ValidatorException) ce; This will allow us to enhance PKIXValidator to check signed code that has been timestamped against the denyAfter date.
12-05-2016