OpenJDK / jdk / hs
changeset 9511:8f315e0a7b18
7038175: Expired PKITS certificates causing CertPathBuilder and CertPathValidator regression test failures
Reviewed-by: xuelei
| author | mullan |
|---|---|
| date | Thu, 21 Apr 2011 17:39:28 -0400 |
| parents | 310b4f6c8e61 |
| children | 78a4f1f6b88d |
| files | jdk/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java |
| diffstat | 2 files changed, 14 insertions(+), 9 deletions(-) [+] |
line wrap: on
line diff
--- a/jdk/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java Thu Apr 21 19:05:29 2011 +0100 +++ b/jdk/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java Thu Apr 21 17:39:28 2011 -0400 @@ -312,7 +312,8 @@ DistributionPointFetcher.getInstance(); // all CRLs returned by the DP Fetcher have also been verified mApprovedCRLs.addAll(store.getCRLs(sel, signFlag, prevKey, - mSigProvider, mStores, reasonsMask, trustAnchors)); + mSigProvider, mStores, reasonsMask, trustAnchors, + mParams.getDate())); } catch (Exception e) { if (debug != null) { debug.println("CrlRevocationChecker.verifyRevocationStatus() " @@ -769,7 +770,7 @@ for (X509CRL crl : crls) { if (dpf.verifyCRL(certImpl, point, crl, reasonsMask, signFlag, prevKey, mSigProvider, - trustAnchors, mStores)) { + trustAnchors, mStores, mParams.getDate())) { results.add(crl); } }
--- a/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Thu Apr 21 19:05:29 2011 +0100 +++ b/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Thu Apr 21 17:39:28 2011 -0400 @@ -90,8 +90,8 @@ */ Collection<X509CRL> getCRLs(X509CRLSelector selector, boolean signFlag, PublicKey prevKey, String provider, List<CertStore> certStores, - boolean[] reasonsMask, - Set<TrustAnchor> trustAnchors) throws CertStoreException { + boolean[] reasonsMask, Set<TrustAnchor> trustAnchors, + Date validity) throws CertStoreException { if (USE_CRLDP == false) { return Collections.emptySet(); @@ -122,7 +122,7 @@ DistributionPoint point = t.next(); Collection<X509CRL> crls = getCRLs(selector, certImpl, point, reasonsMask, signFlag, prevKey, provider, - certStores, trustAnchors); + certStores, trustAnchors, validity); results.addAll(crls); } if (debug != null) { @@ -143,7 +143,8 @@ private Collection<X509CRL> getCRLs(X509CRLSelector selector, X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask, boolean signFlag, PublicKey prevKey, String provider, - List<CertStore> certStores, Set<TrustAnchor> trustAnchors) { + List<CertStore> certStores, Set<TrustAnchor> trustAnchors, + Date validity) { // check for full name GeneralNames fullName = point.getFullName(); @@ -196,7 +197,7 @@ selector.setIssuerNames(null); if (selector.match(crl) && verifyCRL(certImpl, point, crl, reasonsMask, signFlag, prevKey, provider, trustAnchors, - certStores)) { + certStores, validity)) { crls.add(crl); } } catch (Exception e) { @@ -280,13 +281,15 @@ * @param trustAnchors a {@code Set} of {@code TrustAnchor}s * @param certStores a {@code List} of {@code CertStore}s to be used in * finding certificates and CRLs + * @param validity the time for which the validity of the CRL issuer's + * certification path should be determined * @return true if ok, false if not */ boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point, X509CRL crl, boolean[] reasonsMask, boolean signFlag, PublicKey prevKey, String provider, - Set<TrustAnchor> trustAnchors, - List<CertStore> certStores) throws CRLException, IOException { + Set<TrustAnchor> trustAnchors, List<CertStore> certStores, + Date validity) throws CRLException, IOException { boolean indirectCRL = false; X509CRLImpl crlImpl = X509CRLImpl.toImpl(crl); @@ -605,6 +608,7 @@ } params.setCertStores(certStores); params.setSigProvider(provider); + params.setDate(validity); try { CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); PKIXCertPathBuilderResult result =