7038175: Expired PKITS certificates causing CertPathBuilder and CertPathValidator regression test failures
Reviewed-by: xuelei
--- a/jdk/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java Thu Apr 21 19:05:29 2011 +0100
+++ b/jdk/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java Thu Apr 21 17:39:28 2011 -0400
@@ -312,7 +312,8 @@
DistributionPointFetcher.getInstance();
// all CRLs returned by the DP Fetcher have also been verified
mApprovedCRLs.addAll(store.getCRLs(sel, signFlag, prevKey,
- mSigProvider, mStores, reasonsMask, trustAnchors));
+ mSigProvider, mStores, reasonsMask, trustAnchors,
+ mParams.getDate()));
} catch (Exception e) {
if (debug != null) {
debug.println("CrlRevocationChecker.verifyRevocationStatus() "
@@ -769,7 +770,7 @@
for (X509CRL crl : crls) {
if (dpf.verifyCRL(certImpl, point, crl, reasonsMask,
signFlag, prevKey, mSigProvider,
- trustAnchors, mStores)) {
+ trustAnchors, mStores, mParams.getDate())) {
results.add(crl);
}
}
--- a/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Thu Apr 21 19:05:29 2011 +0100
+++ b/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Thu Apr 21 17:39:28 2011 -0400
@@ -90,8 +90,8 @@
*/
Collection<X509CRL> getCRLs(X509CRLSelector selector, boolean signFlag,
PublicKey prevKey, String provider, List<CertStore> certStores,
- boolean[] reasonsMask,
- Set<TrustAnchor> trustAnchors) throws CertStoreException {
+ boolean[] reasonsMask, Set<TrustAnchor> trustAnchors,
+ Date validity) throws CertStoreException {
if (USE_CRLDP == false) {
return Collections.emptySet();
@@ -122,7 +122,7 @@
DistributionPoint point = t.next();
Collection<X509CRL> crls = getCRLs(selector, certImpl,
point, reasonsMask, signFlag, prevKey, provider,
- certStores, trustAnchors);
+ certStores, trustAnchors, validity);
results.addAll(crls);
}
if (debug != null) {
@@ -143,7 +143,8 @@
private Collection<X509CRL> getCRLs(X509CRLSelector selector,
X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask,
boolean signFlag, PublicKey prevKey, String provider,
- List<CertStore> certStores, Set<TrustAnchor> trustAnchors) {
+ List<CertStore> certStores, Set<TrustAnchor> trustAnchors,
+ Date validity) {
// check for full name
GeneralNames fullName = point.getFullName();
@@ -196,7 +197,7 @@
selector.setIssuerNames(null);
if (selector.match(crl) && verifyCRL(certImpl, point, crl,
reasonsMask, signFlag, prevKey, provider, trustAnchors,
- certStores)) {
+ certStores, validity)) {
crls.add(crl);
}
} catch (Exception e) {
@@ -280,13 +281,15 @@
* @param trustAnchors a {@code Set} of {@code TrustAnchor}s
* @param certStores a {@code List} of {@code CertStore}s to be used in
* finding certificates and CRLs
+ * @param validity the time for which the validity of the CRL issuer's
+ * certification path should be determined
* @return true if ok, false if not
*/
boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point,
X509CRL crl, boolean[] reasonsMask, boolean signFlag,
PublicKey prevKey, String provider,
- Set<TrustAnchor> trustAnchors,
- List<CertStore> certStores) throws CRLException, IOException {
+ Set<TrustAnchor> trustAnchors, List<CertStore> certStores,
+ Date validity) throws CRLException, IOException {
boolean indirectCRL = false;
X509CRLImpl crlImpl = X509CRLImpl.toImpl(crl);
@@ -605,6 +608,7 @@
}
params.setCertStores(certStores);
params.setSigProvider(provider);
+ params.setDate(validity);
try {
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
PKIXCertPathBuilderResult result =