6787645: CRL validation code should permit some clock skew when checking validity of CRLs

Reviewed-by: vinnie
This commit is contained in:
Sean Mullan 2009-07-20 17:16:34 -04:00
parent c3f366cc5a
commit 31eb8dfb51
5 changed files with 49 additions and 11 deletions

View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2006 Sun Microsystems, Inc. All Rights Reserved.
* Copyright 2002-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -46,7 +46,7 @@ class CertPathHelperImpl extends CertPathHelper {
/**
* Initialize the helper framework. This method must be called from
* the static initializer of each class that is the target of one of
* the methods in this class. This ensures that the helper if initialized
* the methods in this class. This ensures that the helper is initialized
* prior to a tunneled call from the Sun provider.
*/
synchronized static void initialize() {
@ -59,4 +59,8 @@ class CertPathHelperImpl extends CertPathHelper {
Set<GeneralNameInterface> names) {
sel.setPathToNamesInternal(names);
}
protected void implSetDateAndTime(X509CRLSelector sel, Date date, long skew) {
sel.setDateAndTime(date, skew);
}
}

View File

@ -1,5 +1,5 @@
/*
* Copyright 2000-2006 Sun Microsystems, Inc. All Rights Reserved.
* Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -72,6 +72,10 @@ import sun.security.x509.X500Name;
*/
public class X509CRLSelector implements CRLSelector {
static {
CertPathHelperImpl.initialize();
}
private static final Debug debug = Debug.getInstance("certpath");
private HashSet<Object> issuerNames;
private HashSet<X500Principal> issuerX500Principals;
@ -79,6 +83,7 @@ public class X509CRLSelector implements CRLSelector {
private BigInteger maxCRL;
private Date dateAndTime;
private X509Certificate certChecking;
private long skew = 0;
/**
* Creates an <code>X509CRLSelector</code>. Initially, no criteria are set
@ -417,7 +422,18 @@ public class X509CRLSelector implements CRLSelector {
if (dateAndTime == null)
this.dateAndTime = null;
else
this.dateAndTime = (Date) dateAndTime.clone();
this.dateAndTime = new Date(dateAndTime.getTime());
this.skew = 0;
}
/**
* Sets the dateAndTime criterion and allows for the specified clock skew
* (in milliseconds) when checking against the validity period of the CRL.
*/
void setDateAndTime(Date dateAndTime, long skew) {
this.dateAndTime =
(dateAndTime == null ? null : new Date(dateAndTime.getTime()));
this.skew = skew;
}
/**
@ -657,8 +673,14 @@ public class X509CRLSelector implements CRLSelector {
}
return false;
}
if (crlThisUpdate.after(dateAndTime)
|| nextUpdate.before(dateAndTime)) {
Date nowPlusSkew = dateAndTime;
Date nowMinusSkew = dateAndTime;
if (skew > 0) {
nowPlusSkew = new Date(dateAndTime.getTime() + skew);
nowMinusSkew = new Date(dateAndTime.getTime() - skew);
}
if (nowMinusSkew.after(nextUpdate)
|| nowPlusSkew.before(crlThisUpdate)) {
if (debug != null) {
debug.println("X509CRLSelector.match: update out of range");
}

View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2006 Sun Microsystems, Inc. All Rights Reserved.
* Copyright 2002-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,9 +25,11 @@
package sun.security.provider.certpath;
import java.util.Date;
import java.util.Set;
import java.security.cert.X509CertSelector;
import java.security.cert.X509CRLSelector;
import sun.security.x509.GeneralNameInterface;
@ -55,8 +57,14 @@ public abstract class CertPathHelper {
protected abstract void implSetPathToNames(X509CertSelector sel,
Set<GeneralNameInterface> names);
protected abstract void implSetDateAndTime(X509CRLSelector sel, Date date, long skew);
static void setPathToNames(X509CertSelector sel,
Set<GeneralNameInterface> names) {
instance.implSetPathToNames(sel, names);
}
static void setDateAndTime(X509CRLSelector sel, Date date, long skew) {
instance.implSetDateAndTime(sel, date, skew);
}
}

View File

@ -1,5 +1,5 @@
/*
* Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
* Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -81,6 +81,10 @@ class CrlRevocationChecker extends PKIXCertPathChecker {
private static final boolean[] ALL_REASONS =
{true, true, true, true, true, true, true, true, true};
// Maximum clock skew in milliseconds (15 minutes) allowed when checking
// validity of CRLs
private static final long MAX_CLOCK_SKEW = 900000;
/**
* Creates a <code>CrlRevocationChecker</code>.
*
@ -281,7 +285,7 @@ class CrlRevocationChecker extends PKIXCertPathChecker {
try {
X509CRLSelector sel = new X509CRLSelector();
sel.setCertificateChecking(currCert);
sel.setDateAndTime(mCurrentTime);
CertPathHelper.setDateAndTime(sel, mCurrentTime, MAX_CLOCK_SKEW);
for (CertStore mStore : mStores) {
for (java.security.cert.CRL crl : mStore.getCRLs(sel)) {

View File

@ -149,9 +149,9 @@ class OCSPResponse {
private SingleResponse singleResponse;
// Maximum clock skew in milliseconds (10 minutes) allowed when checking
// Maximum clock skew in milliseconds (15 minutes) allowed when checking
// validity of OCSP responses
private static final long MAX_CLOCK_SKEW = 600000;
private static final long MAX_CLOCK_SKEW = 900000;
// an array of all of the CRLReasons (used in SingleResponse)
private static CRLReason[] values = CRLReason.values();