7038175: Expired PKITS certificates causing CertPathBuilder and CertPathValidator regression test failures
authormullan
Thu, 21 Apr 2011 17:39:28 -0400
changeset 9511 8f315e0a7b18
parent 9508 310b4f6c8e61
child 9512 78a4f1f6b88d
7038175: Expired PKITS certificates causing CertPathBuilder and CertPathValidator regression test failures Reviewed-by: xuelei
jdk/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java
jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
--- a/jdk/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java	Thu Apr 21 19:05:29 2011 +0100
+++ b/jdk/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java	Thu Apr 21 17:39:28 2011 -0400
@@ -312,7 +312,8 @@
                 DistributionPointFetcher.getInstance();
             // all CRLs returned by the DP Fetcher have also been verified
             mApprovedCRLs.addAll(store.getCRLs(sel, signFlag, prevKey,
-                mSigProvider, mStores, reasonsMask, trustAnchors));
+                mSigProvider, mStores, reasonsMask, trustAnchors,
+                mParams.getDate()));
         } catch (Exception e) {
             if (debug != null) {
                 debug.println("CrlRevocationChecker.verifyRevocationStatus() "
@@ -769,7 +770,7 @@
                 for (X509CRL crl : crls) {
                     if (dpf.verifyCRL(certImpl, point, crl, reasonsMask,
                             signFlag, prevKey, mSigProvider,
-                            trustAnchors, mStores)) {
+                            trustAnchors, mStores, mParams.getDate())) {
                         results.add(crl);
                     }
                 }
--- a/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java	Thu Apr 21 19:05:29 2011 +0100
+++ b/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java	Thu Apr 21 17:39:28 2011 -0400
@@ -90,8 +90,8 @@
      */
     Collection<X509CRL> getCRLs(X509CRLSelector selector, boolean signFlag,
         PublicKey prevKey, String provider, List<CertStore> certStores,
-        boolean[] reasonsMask,
-        Set<TrustAnchor> trustAnchors) throws CertStoreException {
+        boolean[] reasonsMask, Set<TrustAnchor> trustAnchors,
+        Date validity) throws CertStoreException {
 
         if (USE_CRLDP == false) {
             return Collections.emptySet();
@@ -122,7 +122,7 @@
                 DistributionPoint point = t.next();
                 Collection<X509CRL> crls = getCRLs(selector, certImpl,
                     point, reasonsMask, signFlag, prevKey, provider,
-                    certStores, trustAnchors);
+                    certStores, trustAnchors, validity);
                 results.addAll(crls);
             }
             if (debug != null) {
@@ -143,7 +143,8 @@
     private Collection<X509CRL> getCRLs(X509CRLSelector selector,
         X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask,
         boolean signFlag, PublicKey prevKey, String provider,
-        List<CertStore> certStores, Set<TrustAnchor> trustAnchors) {
+        List<CertStore> certStores, Set<TrustAnchor> trustAnchors,
+        Date validity) {
 
         // check for full name
         GeneralNames fullName = point.getFullName();
@@ -196,7 +197,7 @@
                 selector.setIssuerNames(null);
                 if (selector.match(crl) && verifyCRL(certImpl, point, crl,
                         reasonsMask, signFlag, prevKey, provider, trustAnchors,
-                        certStores)) {
+                        certStores, validity)) {
                     crls.add(crl);
                 }
             } catch (Exception e) {
@@ -280,13 +281,15 @@
      * @param trustAnchors a {@code Set} of {@code TrustAnchor}s
      * @param certStores a {@code List} of {@code CertStore}s to be used in
      *        finding certificates and CRLs
+     * @param validity the time for which the validity of the CRL issuer's
+     *        certification path should be determined
      * @return true if ok, false if not
      */
     boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point,
         X509CRL crl, boolean[] reasonsMask, boolean signFlag,
         PublicKey prevKey, String provider,
-        Set<TrustAnchor> trustAnchors,
-        List<CertStore> certStores) throws CRLException, IOException {
+        Set<TrustAnchor> trustAnchors, List<CertStore> certStores,
+        Date validity) throws CRLException, IOException {
 
         boolean indirectCRL = false;
         X509CRLImpl crlImpl = X509CRLImpl.toImpl(crl);
@@ -605,6 +608,7 @@
             }
             params.setCertStores(certStores);
             params.setSigProvider(provider);
+            params.setDate(validity);
             try {
                 CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
                 PKIXCertPathBuilderResult result =