6787645: CRL validation code should permit some clock skew when checking validity of CRLs
Reviewed-by: vinnie
This commit is contained in:
parent
c3f366cc5a
commit
31eb8dfb51
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2006 Sun Microsystems, Inc. All Rights Reserved.
|
||||
* Copyright 2002-2009 Sun Microsystems, Inc. All Rights Reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -46,7 +46,7 @@ class CertPathHelperImpl extends CertPathHelper {
|
||||
/**
|
||||
* Initialize the helper framework. This method must be called from
|
||||
* the static initializer of each class that is the target of one of
|
||||
* the methods in this class. This ensures that the helper if initialized
|
||||
* the methods in this class. This ensures that the helper is initialized
|
||||
* prior to a tunneled call from the Sun provider.
|
||||
*/
|
||||
synchronized static void initialize() {
|
||||
@ -59,4 +59,8 @@ class CertPathHelperImpl extends CertPathHelper {
|
||||
Set<GeneralNameInterface> names) {
|
||||
sel.setPathToNamesInternal(names);
|
||||
}
|
||||
|
||||
protected void implSetDateAndTime(X509CRLSelector sel, Date date, long skew) {
|
||||
sel.setDateAndTime(date, skew);
|
||||
}
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved.
|
||||
* Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -72,6 +72,10 @@ import sun.security.x509.X500Name;
|
||||
*/
|
||||
public class X509CRLSelector implements CRLSelector {
|
||||
|
||||
static {
|
||||
CertPathHelperImpl.initialize();
|
||||
}
|
||||
|
||||
private static final Debug debug = Debug.getInstance("certpath");
|
||||
private HashSet<Object> issuerNames;
|
||||
private HashSet<X500Principal> issuerX500Principals;
|
||||
@ -79,6 +83,7 @@ public class X509CRLSelector implements CRLSelector {
|
||||
private BigInteger maxCRL;
|
||||
private Date dateAndTime;
|
||||
private X509Certificate certChecking;
|
||||
private long skew = 0;
|
||||
|
||||
/**
|
||||
* Creates an <code>X509CRLSelector</code>. Initially, no criteria are set
|
||||
@ -417,7 +422,18 @@ public class X509CRLSelector implements CRLSelector {
|
||||
if (dateAndTime == null)
|
||||
this.dateAndTime = null;
|
||||
else
|
||||
this.dateAndTime = (Date) dateAndTime.clone();
|
||||
this.dateAndTime = new Date(dateAndTime.getTime());
|
||||
this.skew = 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the dateAndTime criterion and allows for the specified clock skew
|
||||
* (in milliseconds) when checking against the validity period of the CRL.
|
||||
*/
|
||||
void setDateAndTime(Date dateAndTime, long skew) {
|
||||
this.dateAndTime =
|
||||
(dateAndTime == null ? null : new Date(dateAndTime.getTime()));
|
||||
this.skew = skew;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -657,8 +673,14 @@ public class X509CRLSelector implements CRLSelector {
|
||||
}
|
||||
return false;
|
||||
}
|
||||
if (crlThisUpdate.after(dateAndTime)
|
||||
|| nextUpdate.before(dateAndTime)) {
|
||||
Date nowPlusSkew = dateAndTime;
|
||||
Date nowMinusSkew = dateAndTime;
|
||||
if (skew > 0) {
|
||||
nowPlusSkew = new Date(dateAndTime.getTime() + skew);
|
||||
nowMinusSkew = new Date(dateAndTime.getTime() - skew);
|
||||
}
|
||||
if (nowMinusSkew.after(nextUpdate)
|
||||
|| nowPlusSkew.before(crlThisUpdate)) {
|
||||
if (debug != null) {
|
||||
debug.println("X509CRLSelector.match: update out of range");
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2006 Sun Microsystems, Inc. All Rights Reserved.
|
||||
* Copyright 2002-2009 Sun Microsystems, Inc. All Rights Reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -25,9 +25,11 @@
|
||||
|
||||
package sun.security.provider.certpath;
|
||||
|
||||
import java.util.Date;
|
||||
import java.util.Set;
|
||||
|
||||
import java.security.cert.X509CertSelector;
|
||||
import java.security.cert.X509CRLSelector;
|
||||
|
||||
import sun.security.x509.GeneralNameInterface;
|
||||
|
||||
@ -55,8 +57,14 @@ public abstract class CertPathHelper {
|
||||
protected abstract void implSetPathToNames(X509CertSelector sel,
|
||||
Set<GeneralNameInterface> names);
|
||||
|
||||
protected abstract void implSetDateAndTime(X509CRLSelector sel, Date date, long skew);
|
||||
|
||||
static void setPathToNames(X509CertSelector sel,
|
||||
Set<GeneralNameInterface> names) {
|
||||
instance.implSetPathToNames(sel, names);
|
||||
}
|
||||
|
||||
static void setDateAndTime(X509CRLSelector sel, Date date, long skew) {
|
||||
instance.implSetDateAndTime(sel, date, skew);
|
||||
}
|
||||
}
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
|
||||
* Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -81,6 +81,10 @@ class CrlRevocationChecker extends PKIXCertPathChecker {
|
||||
private static final boolean[] ALL_REASONS =
|
||||
{true, true, true, true, true, true, true, true, true};
|
||||
|
||||
// Maximum clock skew in milliseconds (15 minutes) allowed when checking
|
||||
// validity of CRLs
|
||||
private static final long MAX_CLOCK_SKEW = 900000;
|
||||
|
||||
/**
|
||||
* Creates a <code>CrlRevocationChecker</code>.
|
||||
*
|
||||
@ -281,7 +285,7 @@ class CrlRevocationChecker extends PKIXCertPathChecker {
|
||||
try {
|
||||
X509CRLSelector sel = new X509CRLSelector();
|
||||
sel.setCertificateChecking(currCert);
|
||||
sel.setDateAndTime(mCurrentTime);
|
||||
CertPathHelper.setDateAndTime(sel, mCurrentTime, MAX_CLOCK_SKEW);
|
||||
|
||||
for (CertStore mStore : mStores) {
|
||||
for (java.security.cert.CRL crl : mStore.getCRLs(sel)) {
|
||||
|
@ -149,9 +149,9 @@ class OCSPResponse {
|
||||
|
||||
private SingleResponse singleResponse;
|
||||
|
||||
// Maximum clock skew in milliseconds (10 minutes) allowed when checking
|
||||
// Maximum clock skew in milliseconds (15 minutes) allowed when checking
|
||||
// validity of OCSP responses
|
||||
private static final long MAX_CLOCK_SKEW = 600000;
|
||||
private static final long MAX_CLOCK_SKEW = 900000;
|
||||
|
||||
// an array of all of the CRLReasons (used in SingleResponse)
|
||||
private static CRLReason[] values = CRLReason.values();
|
||||
|
Loading…
x
Reference in New Issue
Block a user