# HG changeset patch # User mullan # Date 1303421968 14400 # Node ID 8f315e0a7b18bd48b954f9800389d9a587c6ab32 # Parent 310b4f6c8e6191f3cc120434898805c7bf6b28e8 7038175: Expired PKITS certificates causing CertPathBuilder and CertPathValidator regression test failures Reviewed-by: xuelei diff -r 310b4f6c8e61 -r 8f315e0a7b18 jdk/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java --- a/jdk/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java Thu Apr 21 19:05:29 2011 +0100 +++ b/jdk/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java Thu Apr 21 17:39:28 2011 -0400 @@ -312,7 +312,8 @@ DistributionPointFetcher.getInstance(); // all CRLs returned by the DP Fetcher have also been verified mApprovedCRLs.addAll(store.getCRLs(sel, signFlag, prevKey, - mSigProvider, mStores, reasonsMask, trustAnchors)); + mSigProvider, mStores, reasonsMask, trustAnchors, + mParams.getDate())); } catch (Exception e) { if (debug != null) { debug.println("CrlRevocationChecker.verifyRevocationStatus() " @@ -769,7 +770,7 @@ for (X509CRL crl : crls) { if (dpf.verifyCRL(certImpl, point, crl, reasonsMask, signFlag, prevKey, mSigProvider, - trustAnchors, mStores)) { + trustAnchors, mStores, mParams.getDate())) { results.add(crl); } } diff -r 310b4f6c8e61 -r 8f315e0a7b18 jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java --- a/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Thu Apr 21 19:05:29 2011 +0100 +++ b/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Thu Apr 21 17:39:28 2011 -0400 @@ -90,8 +90,8 @@ */ Collection getCRLs(X509CRLSelector selector, boolean signFlag, PublicKey prevKey, String provider, List certStores, - boolean[] reasonsMask, - Set trustAnchors) throws CertStoreException { + boolean[] reasonsMask, Set trustAnchors, + Date validity) throws CertStoreException { if (USE_CRLDP == false) { return Collections.emptySet(); @@ -122,7 +122,7 @@ DistributionPoint point = t.next(); Collection crls = getCRLs(selector, certImpl, point, reasonsMask, signFlag, prevKey, provider, - certStores, trustAnchors); + certStores, trustAnchors, validity); results.addAll(crls); } if (debug != null) { @@ -143,7 +143,8 @@ private Collection getCRLs(X509CRLSelector selector, X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask, boolean signFlag, PublicKey prevKey, String provider, - List certStores, Set trustAnchors) { + List certStores, Set trustAnchors, + Date validity) { // check for full name GeneralNames fullName = point.getFullName(); @@ -196,7 +197,7 @@ selector.setIssuerNames(null); if (selector.match(crl) && verifyCRL(certImpl, point, crl, reasonsMask, signFlag, prevKey, provider, trustAnchors, - certStores)) { + certStores, validity)) { crls.add(crl); } } catch (Exception e) { @@ -280,13 +281,15 @@ * @param trustAnchors a {@code Set} of {@code TrustAnchor}s * @param certStores a {@code List} of {@code CertStore}s to be used in * finding certificates and CRLs + * @param validity the time for which the validity of the CRL issuer's + * certification path should be determined * @return true if ok, false if not */ boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point, X509CRL crl, boolean[] reasonsMask, boolean signFlag, PublicKey prevKey, String provider, - Set trustAnchors, - List certStores) throws CRLException, IOException { + Set trustAnchors, List certStores, + Date validity) throws CRLException, IOException { boolean indirectCRL = false; X509CRLImpl crlImpl = X509CRLImpl.toImpl(crl); @@ -605,6 +608,7 @@ } params.setCertStores(certStores); params.setSigProvider(provider); + params.setDate(validity); try { CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); PKIXCertPathBuilderResult result =