# HG changeset patch
# User mullan
# Date 1366919291 14400
# Node ID c67bf062ca301ee693a02a58ef69cc674172da65
# Parent  ebd5b78aebe415196d1dd8060fa092ef2850a072
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
Reviewed-by: vinnie

diff -r ebd5b78aebe4 -r c67bf062ca30 jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java
--- a/jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java	Thu Apr 25 11:18:29 2013 -0400
+++ b/jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java	Thu Apr 25 15:48:11 2013 -0400
@@ -64,7 +64,7 @@
         instance.implSetPathToNames(sel, names);
     }
 
-    static void setDateAndTime(X509CRLSelector sel, Date date, long skew) {
+    public static void setDateAndTime(X509CRLSelector sel, Date date, long skew) {
         instance.implSetDateAndTime(sel, date, skew);
     }
 }
diff -r ebd5b78aebe4 -r c67bf062ca30 jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
--- a/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java	Thu Apr 25 11:18:29 2013 -0400
+++ b/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java	Thu Apr 25 15:48:11 2013 -0400
@@ -50,7 +50,7 @@
  * @author Sean Mullan
  * @since 1.4.2
  */
-class DistributionPointFetcher {
+public class DistributionPointFetcher {
 
     private static final Debug debug = Debug.getInstance("certpath");
 
@@ -66,13 +66,14 @@
      * Return the X509CRLs matching this selector. The selector must be
      * an X509CRLSelector with certificateChecking set.
      */
-    static Collection<X509CRL> getCRLs(X509CRLSelector selector,
-                                       boolean signFlag, PublicKey prevKey,
-                                       String provider,
-                                       List<CertStore> certStores,
-                                       boolean[] reasonsMask,
-                                       Set<TrustAnchor> trustAnchors,
-                                       Date validity)
+    public static Collection<X509CRL> getCRLs(X509CRLSelector selector,
+                                              boolean signFlag,
+                                              PublicKey prevKey,
+                                              String provider,
+                                              List<CertStore> certStores,
+                                              boolean[] reasonsMask,
+                                              Set<TrustAnchor> trustAnchors,
+                                              Date validity)
         throws CertStoreException
     {
         X509Certificate cert = selector.getCertificateChecking();
diff -r ebd5b78aebe4 -r c67bf062ca30 jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
--- a/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Thu Apr 25 11:18:29 2013 -0400
+++ b/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Thu Apr 25 15:48:11 2013 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -43,6 +43,7 @@
 import javax.security.auth.x500.X500Principal;
 
 import sun.misc.HexDumpEncoder;
+import sun.security.action.GetIntegerAction;
 import sun.security.x509.*;
 import sun.security.util.*;
 
@@ -144,9 +145,31 @@
     // Object identifier for the OCSPSigning key purpose
     private static final String KP_OCSP_SIGNING_OID = "1.3.6.1.5.5.7.3.9";
 
-    // Maximum clock skew in milliseconds (15 minutes) allowed when checking
-    // validity of OCSP responses
-    private static final long MAX_CLOCK_SKEW = 900000;
+    // Default maximum clock skew in milliseconds (15 minutes)
+    // allowed when checking validity of OCSP responses
+    private static final int DEFAULT_MAX_CLOCK_SKEW = 900000;
+
+    /**
+     * Integer value indicating the maximum allowable clock skew, in seconds,
+     * to be used for the OCSP check.
+     */
+    private static final int MAX_CLOCK_SKEW = initializeClockSkew();
+
+    /**
+     * Initialize the maximum allowable clock skew by getting the OCSP
+     * clock skew system property. If the property has not been set, or if its
+     * value is negative, set the skew to the default.
+     */
+    private static int initializeClockSkew() {
+        Integer tmp = java.security.AccessController.doPrivileged(
+                new GetIntegerAction("com.sun.security.ocsp.clockSkew"));
+        if (tmp == null || tmp < 0) {
+            return DEFAULT_MAX_CLOCK_SKEW;
+        }
+        // Convert to milliseconds, as the system property will be
+        // specified in seconds
+        return tmp * 1000;
+    }
 
     // an array of all of the CRLReasons (used in SingleResponse)
     private static CRLReason[] values = CRLReason.values();
diff -r ebd5b78aebe4 -r c67bf062ca30 jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java
--- a/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java	Thu Apr 25 11:18:29 2013 -0400
+++ b/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java	Thu Apr 25 15:48:11 2013 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -51,6 +51,7 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
+import sun.security.action.GetIntegerAction;
 import sun.security.x509.AccessDescription;
 import sun.security.x509.GeneralNameInterface;
 import sun.security.x509.URIName;
@@ -121,6 +122,33 @@
     private CertStore ldapCertStore;
     private String ldapPath;
 
+    // Default maximum connect timeout in milliseconds (15 seconds)
+    // allowed when downloading CRLs
+    private static final int DEFAULT_CRL_CONNECT_TIMEOUT = 15000;
+
+    /**
+     * Integer value indicating the connect timeout, in seconds, to be
+     * used for the CRL download. A timeout of zero is interpreted as
+     * an infinite timeout.
+     */
+    private static final int CRL_CONNECT_TIMEOUT = initializeTimeout();
+
+    /**
+     * Initialize the timeout length by getting the CRL timeout
+     * system property. If the property has not been set, or if its
+     * value is negative, set the timeout length to the default.
+     */
+    private static int initializeTimeout() {
+        Integer tmp = java.security.AccessController.doPrivileged(
+                new GetIntegerAction("com.sun.security.crl.timeout"));
+        if (tmp == null || tmp < 0) {
+            return DEFAULT_CRL_CONNECT_TIMEOUT;
+        }
+        // Convert to milliseconds, as the system property will be
+        // specified in seconds
+        return tmp * 1000;
+    }
+
     /**
      * Creates a URICertStore.
      *
@@ -364,6 +392,7 @@
                 connection.setIfModifiedSince(lastModified);
             }
             long oldLastModified = lastModified;
+            connection.setConnectTimeout(CRL_CONNECT_TIMEOUT);
             try (InputStream in = connection.getInputStream()) {
                 lastModified = connection.getLastModified();
                 if (oldLastModified != 0) {