8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
Reviewed-by: vinnie
--- a/jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java Thu Apr 25 11:18:29 2013 -0400
+++ b/jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java Thu Apr 25 15:48:11 2013 -0400
@@ -64,7 +64,7 @@
instance.implSetPathToNames(sel, names);
}
- static void setDateAndTime(X509CRLSelector sel, Date date, long skew) {
+ public static void setDateAndTime(X509CRLSelector sel, Date date, long skew) {
instance.implSetDateAndTime(sel, date, skew);
}
}
--- a/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Thu Apr 25 11:18:29 2013 -0400
+++ b/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Thu Apr 25 15:48:11 2013 -0400
@@ -50,7 +50,7 @@
* @author Sean Mullan
* @since 1.4.2
*/
-class DistributionPointFetcher {
+public class DistributionPointFetcher {
private static final Debug debug = Debug.getInstance("certpath");
@@ -66,13 +66,14 @@
* Return the X509CRLs matching this selector. The selector must be
* an X509CRLSelector with certificateChecking set.
*/
- static Collection<X509CRL> getCRLs(X509CRLSelector selector,
- boolean signFlag, PublicKey prevKey,
- String provider,
- List<CertStore> certStores,
- boolean[] reasonsMask,
- Set<TrustAnchor> trustAnchors,
- Date validity)
+ public static Collection<X509CRL> getCRLs(X509CRLSelector selector,
+ boolean signFlag,
+ PublicKey prevKey,
+ String provider,
+ List<CertStore> certStores,
+ boolean[] reasonsMask,
+ Set<TrustAnchor> trustAnchors,
+ Date validity)
throws CertStoreException
{
X509Certificate cert = selector.getCertificateChecking();
--- a/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Thu Apr 25 11:18:29 2013 -0400
+++ b/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Thu Apr 25 15:48:11 2013 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -43,6 +43,7 @@
import javax.security.auth.x500.X500Principal;
import sun.misc.HexDumpEncoder;
+import sun.security.action.GetIntegerAction;
import sun.security.x509.*;
import sun.security.util.*;
@@ -144,9 +145,31 @@
// Object identifier for the OCSPSigning key purpose
private static final String KP_OCSP_SIGNING_OID = "1.3.6.1.5.5.7.3.9";
- // Maximum clock skew in milliseconds (15 minutes) allowed when checking
- // validity of OCSP responses
- private static final long MAX_CLOCK_SKEW = 900000;
+ // Default maximum clock skew in milliseconds (15 minutes)
+ // allowed when checking validity of OCSP responses
+ private static final int DEFAULT_MAX_CLOCK_SKEW = 900000;
+
+ /**
+ * Integer value indicating the maximum allowable clock skew, in seconds,
+ * to be used for the OCSP check.
+ */
+ private static final int MAX_CLOCK_SKEW = initializeClockSkew();
+
+ /**
+ * Initialize the maximum allowable clock skew by getting the OCSP
+ * clock skew system property. If the property has not been set, or if its
+ * value is negative, set the skew to the default.
+ */
+ private static int initializeClockSkew() {
+ Integer tmp = java.security.AccessController.doPrivileged(
+ new GetIntegerAction("com.sun.security.ocsp.clockSkew"));
+ if (tmp == null || tmp < 0) {
+ return DEFAULT_MAX_CLOCK_SKEW;
+ }
+ // Convert to milliseconds, as the system property will be
+ // specified in seconds
+ return tmp * 1000;
+ }
// an array of all of the CRLReasons (used in SingleResponse)
private static CRLReason[] values = CRLReason.values();
--- a/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java Thu Apr 25 11:18:29 2013 -0400
+++ b/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java Thu Apr 25 15:48:11 2013 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -51,6 +51,7 @@
import java.util.Collections;
import java.util.List;
import java.util.Locale;
+import sun.security.action.GetIntegerAction;
import sun.security.x509.AccessDescription;
import sun.security.x509.GeneralNameInterface;
import sun.security.x509.URIName;
@@ -121,6 +122,33 @@
private CertStore ldapCertStore;
private String ldapPath;
+ // Default maximum connect timeout in milliseconds (15 seconds)
+ // allowed when downloading CRLs
+ private static final int DEFAULT_CRL_CONNECT_TIMEOUT = 15000;
+
+ /**
+ * Integer value indicating the connect timeout, in seconds, to be
+ * used for the CRL download. A timeout of zero is interpreted as
+ * an infinite timeout.
+ */
+ private static final int CRL_CONNECT_TIMEOUT = initializeTimeout();
+
+ /**
+ * Initialize the timeout length by getting the CRL timeout
+ * system property. If the property has not been set, or if its
+ * value is negative, set the timeout length to the default.
+ */
+ private static int initializeTimeout() {
+ Integer tmp = java.security.AccessController.doPrivileged(
+ new GetIntegerAction("com.sun.security.crl.timeout"));
+ if (tmp == null || tmp < 0) {
+ return DEFAULT_CRL_CONNECT_TIMEOUT;
+ }
+ // Convert to milliseconds, as the system property will be
+ // specified in seconds
+ return tmp * 1000;
+ }
+
/**
* Creates a URICertStore.
*
@@ -364,6 +392,7 @@
connection.setIfModifiedSince(lastModified);
}
long oldLastModified = lastModified;
+ connection.setConnectTimeout(CRL_CONNECT_TIMEOUT);
try (InputStream in = connection.getInputStream()) {
lastModified = connection.getLastModified();
if (oldLastModified != 0) {