如果我将计算机上的时钟提前,签名的 Java 小程序将不再适用于任何浏览器
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/27808457/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Signed java applet no longer works in any browser if I set the clock ahead on my computer
提问by Gerrat
I have a Java Applet (for a browser) signed and timestamped with a valid Code Signing Certificate from GoDaddy. The code signing certificate itself expires in a few weeks. Everything I've read says that the applet will still be valid after the Code Signing Certificate expires:
我有一个 Java Applet(用于浏览器),使用来自 GoDaddy 的有效代码签名证书进行签名和时间戳。代码签名证书本身将在几周后到期。我读过的所有内容都表明小程序在代码签名证书到期后仍然有效:
From here:
从这里:
If a timestamp is discovered, then the code signature is valid until the end of time, as long as the code remains unchanged
如果发现时间戳,则代码签名一直有效,直到时间结束,只要代码保持不变
I would like to verify this is actually true though. If I change my computer's clock settings to a later date, past when the certificate expires, I get the following Java Exception in IE, Firefox and Chrome:
我想验证这实际上是真的。如果我将计算机的时钟设置更改为以后的日期,超过证书过期时间,我会在 IE、Firefox 和 Chrome 中收到以下 Java 异常:
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Response is unreliable: its validity interval is out-of-date
java.security.cert.CertificateException:java.security.cert.CertPathValidatorException:响应不可靠:其有效期间隔已过时
Does this mean that the applet will actually fail in a few weeks when the Code Signing Certificate expires, or is this test of changing my computer clock just invalid? Any references either way?
这是否意味着当代码签名证书到期时,小程序实际上会在几周内失败,或者这种更改计算机时钟的测试是否无效?任何参考方法?
采纳答案by Gerrat
The code Signing Certificate has expired several months ago now, and I can confirm everything is still working fine. The Java popup that comes up (the first time visiting the site) says: "The web site's certificate has been verified."
代码签名证书已经在几个月前过期了,我可以确认一切仍然正常。出现的 Java 弹出窗口(第一次访问该站点)说:“该网站的证书已经过验证。”
Changing the local timestamp wasn't a valid test of this after all.
毕竟,更改本地时间戳并不是对此的有效测试。
回答by Chaim Geretz
As @Gabriel pointed out in a comment to the original question the problem you experienced was due to revocation checking.
正如@Gabriel 在对原始问题的评论中指出的,您遇到的问题是由于吊销检查造成的。
I experienced this while testing with safari, and worked around it by configuring java to allow certificates to be trusted even if revocation status could not be verified, and not to check for certificate revocation.
我在使用 safari 进行测试时遇到了这个问题,并通过配置 java 来允许信任证书,即使无法验证吊销状态,并且不检查证书吊销,从而解决了这个问题。
See the following screen shots from the java console.
从 Java 控制台查看以下屏幕截图。
