Mercurial Mercurial > jdk-sandbox / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
6787645: CRL validation code should permit some clock skew when checking validity of CRLs
authormullan
Mon, 20 Jul 2009 17:16:34 -0400
changeset 3314 1e9d33caef08
parent 3313 0d2503de51fe
child 3315 2c61231c7973
child 3473 b9abeee84734
6787645: CRL validation code should permit some clock skew when checking validity of CRLs Reviewed-by: vinnie
jdk/src/share/classes/java/security/cert/CertPathHelperImpl.java file | annotate | diff | comparison | revisions
jdk/src/share/classes/java/security/cert/X509CRLSelector.java file | annotate | diff | comparison | revisions
jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java file | annotate | diff | comparison | revisions
jdk/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java file | annotate | diff | comparison | revisions
jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java file | annotate | diff | comparison | revisions 
--- a/jdk/src/share/classes/java/security/cert/CertPathHelperImpl.java	Fri Jul 17 09:14:29 2009 -0700
+++ b/jdk/src/share/classes/java/security/cert/CertPathHelperImpl.java	Mon Jul 20 17:16:34 2009 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2002-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -46,7 +46,7 @@
     /**
      * Initialize the helper framework. This method must be called from
      * the static initializer of each class that is the target of one of
-     * the methods in this class. This ensures that the helper if initialized
+     * the methods in this class. This ensures that the helper is initialized
      * prior to a tunneled call from the Sun provider.
      */
     synchronized static void initialize() {
@@ -59,4 +59,8 @@
             Set<GeneralNameInterface> names) {
         sel.setPathToNamesInternal(names);
     }
+
+    protected void implSetDateAndTime(X509CRLSelector sel, Date date, long skew) {
+        sel.setDateAndTime(date, skew);
+    }
 }
--- a/jdk/src/share/classes/java/security/cert/X509CRLSelector.java	Fri Jul 17 09:14:29 2009 -0700
+++ b/jdk/src/share/classes/java/security/cert/X509CRLSelector.java	Mon Jul 20 17:16:34 2009 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -72,6 +72,10 @@
  */
 public class X509CRLSelector implements CRLSelector {
 
+    static {
+        CertPathHelperImpl.initialize();
+    }
+
     private static final Debug debug = Debug.getInstance("certpath");
     private HashSet<Object> issuerNames;
     private HashSet<X500Principal> issuerX500Principals;
@@ -79,6 +83,7 @@
     private BigInteger maxCRL;
     private Date dateAndTime;
     private X509Certificate certChecking;
+    private long skew = 0;
 
     /**
      * Creates an <code>X509CRLSelector</code>. Initially, no criteria are set
@@ -417,7 +422,18 @@
         if (dateAndTime == null)
             this.dateAndTime = null;
         else
-            this.dateAndTime = (Date) dateAndTime.clone();
+            this.dateAndTime = new Date(dateAndTime.getTime());
+        this.skew = 0;
+    }
+
+    /**
+     * Sets the dateAndTime criterion and allows for the specified clock skew
+     * (in milliseconds) when checking against the validity period of the CRL.
+     */
+    void setDateAndTime(Date dateAndTime, long skew) {
+        this.dateAndTime =
+            (dateAndTime == null ? null : new Date(dateAndTime.getTime()));
+        this.skew = skew;
     }
 
     /**
@@ -657,8 +673,14 @@
                 }
                 return false;
             }
-            if (crlThisUpdate.after(dateAndTime)
-                  || nextUpdate.before(dateAndTime)) {
+            Date nowPlusSkew = dateAndTime;
+            Date nowMinusSkew = dateAndTime;
+            if (skew > 0) {
+                nowPlusSkew = new Date(dateAndTime.getTime() + skew);
+                nowMinusSkew = new Date(dateAndTime.getTime() - skew);
+            }
+            if (nowMinusSkew.after(nextUpdate)
+                || nowPlusSkew.before(crlThisUpdate)) {
                 if (debug != null) {
                     debug.println("X509CRLSelector.match: update out of range");
                 }
--- a/jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java	Fri Jul 17 09:14:29 2009 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java	Mon Jul 20 17:16:34 2009 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2002-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,9 +25,11 @@
 
 package sun.security.provider.certpath;
 
+import java.util.Date;
 import java.util.Set;
 
 import java.security.cert.X509CertSelector;
+import java.security.cert.X509CRLSelector;
 
 import sun.security.x509.GeneralNameInterface;
 
@@ -55,8 +57,14 @@
     protected abstract void implSetPathToNames(X509CertSelector sel,
             Set<GeneralNameInterface> names);
 
+    protected abstract void implSetDateAndTime(X509CRLSelector sel, Date date, long skew);
+
     static void setPathToNames(X509CertSelector sel,
             Set<GeneralNameInterface> names) {
         instance.implSetPathToNames(sel, names);
     }
+
+    static void setDateAndTime(X509CRLSelector sel, Date date, long skew) {
+        instance.implSetDateAndTime(sel, date, skew);
+    }
 }
--- a/jdk/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java	Fri Jul 17 09:14:29 2009 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java	Mon Jul 20 17:16:34 2009 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -81,6 +81,10 @@
     private static final boolean[] ALL_REASONS =
         {true, true, true, true, true, true, true, true, true};
 
+    // Maximum clock skew in milliseconds (15 minutes) allowed when checking
+    // validity of CRLs
+    private static final long MAX_CLOCK_SKEW = 900000;
+
     /**
      * Creates a <code>CrlRevocationChecker</code>.
      *
@@ -281,7 +285,7 @@
         try {
             X509CRLSelector sel = new X509CRLSelector();
             sel.setCertificateChecking(currCert);
-            sel.setDateAndTime(mCurrentTime);
+            CertPathHelper.setDateAndTime(sel, mCurrentTime, MAX_CLOCK_SKEW);
 
             for (CertStore mStore : mStores) {
                 for (java.security.cert.CRL crl : mStore.getCRLs(sel)) {
--- a/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Fri Jul 17 09:14:29 2009 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Mon Jul 20 17:16:34 2009 -0400
@@ -149,9 +149,9 @@
 
     private SingleResponse singleResponse;
 
-    // Maximum clock skew in milliseconds (10 minutes) allowed when checking
+    // Maximum clock skew in milliseconds (15 minutes) allowed when checking
     // validity of OCSP responses
-    private static final long MAX_CLOCK_SKEW = 600000;
+    private static final long MAX_CLOCK_SKEW = 900000;
 
     // an array of all of the CRLReasons (used in SingleResponse)
     private static CRLReason[] values = CRLReason.values();
jdk-sandbox