6787645: CRL validation code should permit some clock skew when checking validity of CRLs

Reviewed-by: vinnie

6787645: CRL validation code should permit some clock skew when checking validity of CRLs
Reviewed-by: vinnie
d882736a · mullan · d786f271 · d882736a · d882736a · d882736a
5 changed file
--- a/src/share/classes/java/security/cert/CertPathHelperImpl.java
+++ b/src/share/classes/java/security/cert/CertPathHelperImpl.java
 /*
- * Copyright 2002-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2002-2009 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -46,7 +46,7 @@ class CertPathHelperImpl extends CertPathHelper {
    /**
     * Initialize the helper framework. This method must be called from
     * the static initializer of each class that is the target of one of
-     * the methods in this class. This ensures that the helper if initialized
+     * the methods in this class. This ensures that the helper is initialized
     * prior to a tunneled call from the Sun provider.
     */
    synchronized static void initialize() {
@@ -59,4 +59,8 @@ class CertPathHelperImpl extends CertPathHelper {
            Set<GeneralNameInterface> names) {
        sel.setPathToNamesInternal(names);
    }
+
+    protected void implSetDateAndTime(X509CRLSelector sel, Date date, long skew) {
+        sel.setDateAndTime(date, skew);
+    }
 }
--- a/src/share/classes/java/security/cert/X509CRLSelector.java
+++ b/src/share/classes/java/security/cert/X509CRLSelector.java
 /*
- * Copyright 2000-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -72,6 +72,10 @@ import sun.security.x509.X500Name;
 */
 public class X509CRLSelector implements CRLSelector {

+    static {
+        CertPathHelperImpl.initialize();
+    }
+
    private static final Debug debug = Debug.getInstance("certpath");
    private HashSet<Object> issuerNames;
    private HashSet<X500Principal> issuerX500Principals;
@@ -79,6 +83,7 @@ public class X509CRLSelector implements CRLSelector {
    private BigInteger maxCRL;
    private Date dateAndTime;
    private X509Certificate certChecking;
+    private long skew = 0;

    /**
     * Creates an <code>X509CRLSelector</code>. Initially, no criteria are set
@@ -417,7 +422,18 @@ public class X509CRLSelector implements CRLSelector {
        if (dateAndTime == null)
            this.dateAndTime = null;
        else
-            this.dateAndTime = (Date) dateAndTime.clone();
+            this.dateAndTime = new Date(dateAndTime.getTime());
+        this.skew = 0;
+    }
+
+    /**
+     * Sets the dateAndTime criterion and allows for the specified clock skew
+     * (in milliseconds) when checking against the validity period of the CRL.
+     */
+    void setDateAndTime(Date dateAndTime, long skew) {
+        this.dateAndTime =
+            (dateAndTime == null ? null : new Date(dateAndTime.getTime()));
+        this.skew = skew;
    }

    /**
@@ -657,8 +673,14 @@ public class X509CRLSelector implements CRLSelector {
                }
                return false;
            }
-            if (crlThisUpdate.after(dateAndTime)
-                  || nextUpdate.before(dateAndTime)) {
+            Date nowPlusSkew = dateAndTime;
+            Date nowMinusSkew = dateAndTime;
+            if (skew > 0) {
+                nowPlusSkew = new Date(dateAndTime.getTime() + skew);
+                nowMinusSkew = new Date(dateAndTime.getTime() - skew);
+            }
+            if (nowMinusSkew.after(nextUpdate)
+                || nowPlusSkew.before(crlThisUpdate)) {
                if (debug != null) {
                    debug.println("X509CRLSelector.match: update out of range");
                }

--- a/src/share/classes/sun/security/provider/certpath/CertPathHelper.java
+++ b/src/share/classes/sun/security/provider/certpath/CertPathHelper.java
 /*
- * Copyright 2002-2006 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2002-2009 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -25,9 +25,11 @@

 package sun.security.provider.certpath;

+import java.util.Date;
 import java.util.Set;

 import java.security.cert.X509CertSelector;
+import java.security.cert.X509CRLSelector;

 import sun.security.x509.GeneralNameInterface;

@@ -55,8 +57,14 @@ public abstract class CertPathHelper {
    protected abstract void implSetPathToNames(X509CertSelector sel,
            Set<GeneralNameInterface> names);

+    protected abstract void implSetDateAndTime(X509CRLSelector sel, Date date, long skew);
+
    static void setPathToNames(X509CertSelector sel,
            Set<GeneralNameInterface> names) {
        instance.implSetPathToNames(sel, names);
    }
+
+    static void setDateAndTime(X509CRLSelector sel, Date date, long skew) {
+        instance.implSetDateAndTime(sel, date, skew);
+    }
 }
--- a/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java
+++ b/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java
 /*
- * Copyright 2000-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -81,6 +81,10 @@ class CrlRevocationChecker extends PKIXCertPathChecker {
    private static final boolean[] ALL_REASONS =
        {true, true, true, true, true, true, true, true, true};

+    // Maximum clock skew in milliseconds (15 minutes) allowed when checking
+    // validity of CRLs
+    private static final long MAX_CLOCK_SKEW = 900000;
+
    /**
     * Creates a <code>CrlRevocationChecker</code>.
     *
@@ -281,7 +285,7 @@ class CrlRevocationChecker extends PKIXCertPathChecker {
        try {
            X509CRLSelector sel = new X509CRLSelector();
            sel.setCertificateChecking(currCert);
-            sel.setDateAndTime(mCurrentTime);
+            CertPathHelper.setDateAndTime(sel, mCurrentTime, MAX_CLOCK_SKEW);

            for (CertStore mStore : mStores) {
                for (java.security.cert.CRL crl : mStore.getCRLs(sel)) {

--- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
+++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
@@ -149,9 +149,9 @@ class OCSPResponse {

    private SingleResponse singleResponse;

-    // Maximum clock skew in milliseconds (10 minutes) allowed when checking
+    // Maximum clock skew in milliseconds (15 minutes) allowed when checking
    // validity of OCSP responses
-    private static final long MAX_CLOCK_SKEW = 600000;
+    private static final long MAX_CLOCK_SKEW = 900000;

    // an array of all of the CRLReasons (used in SingleResponse)
    private static CRLReason[] values = CRLReason.values();