当前位置: 文江博客话题详情

Java 签名的小程序证书仅在 mac OSX10.7 (Lion) 上被吊销

发布于 2024-11-26 19:20:06 字数 2896 浏览 2 评论 0原文

我有一个签名的小程序,可以在 Windows、Mac <= 10.6 和 Linux 上正常运行。但是,在 OSX lion 上,签名证书被撤销。以下是来自 java 控制台的安全调试信息:

security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading Root CA certificates from from keychain
security: Loaded Root CA certificates from from keychain
security: Validate the certificate chain using CertPath API
security: Obtain certificate collection in Root CA certificate store
security: Obtain certificate collection in Root CA certificate store
security: Obtain certificate collection in Root CA certificate store
security: jpicertstore.cert.getkeystore
security: No timestamping info available
security: Cannot find jurisdiction list file
security: The CRL support is enabled
security: PC Operating Center
security: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.thawte.com/ThawteCodeSigningCA.crl]
]]

security: Thawte Code Signing CA
security: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.thawte.com/ThawtePremiumServerCA.crl]
]]

security: Use CRL setting from certificate
security: The OCSP support is enabled
security: PC Operating Center
security: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: 1.3.6.1.5.5.7.48.1
   accessLocation: URIName: http://ocsp.thawte.com]
]

security: This certificate does not have AIA extension
security: Use OCSP setting from certificate
network: Cache entry not found [url: http://crl.thawte.com/ThawtePremiumServerCA.crl, version: null]
network: Connecting http://crl.thawte.com/ThawtePremiumServerCA.crl with proxy=DIRECT
network: Connecting http://crl.thawte.com:80/ with proxy=DIRECT
network: Downloading resource: http://crl.thawte.com/ThawtePremiumServerCA.crl
    Content-Length: 181,278
    Content-Encoding: null
network: Wrote URL http://crl.thawte.com/ThawtePremiumServerCA.crl to File /Users/koutbo6/Library/Caches/Java/cache/6.0/38/2fb889a6-30a08967-temp
network: Connecting http://ocsp.thawte.com/ with proxy=DIRECT
network: Connecting http://ocsp.thawte.com:80/ with proxy=DIRECT
network: CleanupThread used 990300 us
network: Connecting http://ocsp.thawte.com/ with proxy=DIRECT
network: Connecting http://ocsp.thawte.com:80/ with proxy=DIRECT
security: This certificate has been revoked
Ignored exception: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked

如果有任何关于如何让签名小程序在 Lion 上工作的提示,我们将不胜感激。

更新:

这里是证书的序列号:28 A9 29 38 64 0D FC 5D 7D 1D 05 CE 7F 1D 81 E0

如果我进入java首选项的高级设置并启用“检查证书”,我在雪豹上注意到以下内容使用 CRL 进行撤销”我遇到了与 lion 中相同的问题。

我检查了 lion java 首选项,该选项已被禁用,但证书仍被撤销

在雪豹上,我再次禁用了该选项,一切正常

原文

I have a signed applet that works fine on windows, Mac <= 10.6, and linux. However, on OSX lion, the signing certificate is revoked. Here is the security debug info from the java console:

security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Loading Root CA certificates from from keychain
security: Loaded Root CA certificates from from keychain
security: Validate the certificate chain using CertPath API
security: Obtain certificate collection in Root CA certificate store
security: Obtain certificate collection in Root CA certificate store
security: Obtain certificate collection in Root CA certificate store
security: jpicertstore.cert.getkeystore
security: No timestamping info available
security: Cannot find jurisdiction list file
security: The CRL support is enabled
security: PC Operating Center
security: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.thawte.com/ThawteCodeSigningCA.crl]
]]

security: Thawte Code Signing CA
security: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.thawte.com/ThawtePremiumServerCA.crl]
]]

security: Use CRL setting from certificate
security: The OCSP support is enabled
security: PC Operating Center
security: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: 1.3.6.1.5.5.7.48.1
   accessLocation: URIName: http://ocsp.thawte.com]
]

security: This certificate does not have AIA extension
security: Use OCSP setting from certificate
network: Cache entry not found [url: http://crl.thawte.com/ThawtePremiumServerCA.crl, version: null]
network: Connecting http://crl.thawte.com/ThawtePremiumServerCA.crl with proxy=DIRECT
network: Connecting http://crl.thawte.com:80/ with proxy=DIRECT
network: Downloading resource: http://crl.thawte.com/ThawtePremiumServerCA.crl
    Content-Length: 181,278
    Content-Encoding: null
network: Wrote URL http://crl.thawte.com/ThawtePremiumServerCA.crl to File /Users/koutbo6/Library/Caches/Java/cache/6.0/38/2fb889a6-30a08967-temp
network: Connecting http://ocsp.thawte.com/ with proxy=DIRECT
network: Connecting http://ocsp.thawte.com:80/ with proxy=DIRECT
network: CleanupThread used 990300 us
network: Connecting http://ocsp.thawte.com/ with proxy=DIRECT
network: Connecting http://ocsp.thawte.com:80/ with proxy=DIRECT
security: This certificate has been revoked
Ignored exception: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked

Would appreciate any tips on how to get the signed applet to work on Lion.

UPDATE:

here is the serial number for the cert: 28 A9 29 38 64 0D FC 5D 7D 1D 05 CE 7F 1D 81 E0

I noticed the following, on snow leopard, if I go to advanced settings of java preferences and enable "Check certificates for revocation using CRL" I get the same issue as in lion.

I check lion java preferences and the option was disabled yet the certificate is still revoked

On snow leopard, I disabled the option again and everything works fine

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

折戟 2024-12-03 19:20:06

也许 Java 使用“钥匙串访问”应用程序中的全局首选项设置?
该应用程序可以在“应用程序”>“应用程序”下找到。公用事业>钥匙串访问。

默认设置表示:

Online Certificate Status Protocol (OCSP): Best attempt
Certificate Revocation List (CSP): Best attempt
Priority: OCSP

如果您(暂时)关闭 OCSP 和 CRL,则可以验证应用程序是否接受您的证书。

无论如何,您可能不应该使用已吊销的证书...:-)

Maybe Java uses the global preference settings in the "Keychain Access" application?
This application can be found under Applications > Utilities > Keychain Access.

Default settings indicate:

Online Certificate Status Protocol (OCSP): Best attempt
Certificate Revocation List (CSP): Best attempt
Priority: OCSP

You could verify if the application accepts your certificate if you (temporarily) turn OCSP and CRL off.

In any case, you should probably not be using a revoked certificate... :-)

回复 原文
夏末 2024-12-03 19:20:06

您是否在以前从未运行过您的小程序的非 Lion 机器上尝试过?也许您测试过的其他机器已经信任您的小程序。

Have you tried it on a non-lion machine that has never run your applet before? Maybe the other machines that you tested with already trust your applet.

回复 原文
~没有更多了~

关于作者

灰色世界里的红玫瑰

暂无简介

文章
评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

我一直都在从未离去

文章 0 评论 0

fangs

文章 0 评论 0

朱染

文章 0 评论 0

zhangcx

文章 0 评论 0

Willy

文章 0 评论 0

taohaoge

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文