# HG changeset patch # User andrew # Date 1372304241 18000 # Node ID 452cb039dfd2653975ee02f63328f0977bbb8012 # Parent 166a090d3fd463a33e323d47cf27cfb4abacd4b5 8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout Reviewed-by: vinnie diff -r 166a090d3fd4 -r 452cb039dfd2 src/share/classes/sun/security/provider/certpath/CertPathHelper.java --- a/src/share/classes/sun/security/provider/certpath/CertPathHelper.java Wed May 01 21:02:04 2013 +0100 +++ b/src/share/classes/sun/security/provider/certpath/CertPathHelper.java Wed Jun 26 22:37:21 2013 -0500 @@ -64,7 +64,7 @@ instance.implSetPathToNames(sel, names); } - static void setDateAndTime(X509CRLSelector sel, Date date, long skew) { + public static void setDateAndTime(X509CRLSelector sel, Date date, long skew) { instance.implSetDateAndTime(sel, date, skew); } } diff -r 166a090d3fd4 -r 452cb039dfd2 src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java --- a/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java Wed May 01 21:02:04 2013 +0100 +++ b/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java Wed Jun 26 22:37:21 2013 -0500 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -308,11 +308,9 @@ mPossibleCRLs.add((X509CRL)crl); } } - DistributionPointFetcher store = - DistributionPointFetcher.getInstance(); // all CRLs returned by the DP Fetcher have also been verified - mApprovedCRLs.addAll(store.getCRLs(sel, signFlag, prevKey, - mSigProvider, mStores, reasonsMask, trustAnchors, + mApprovedCRLs.addAll(DistributionPointFetcher.getCRLs(sel, signFlag, + prevKey, mSigProvider, mStores, reasonsMask, trustAnchors, mParams.getDate())); } catch (Exception e) { if (debug != null) { @@ -762,14 +760,12 @@ CRLDistributionPointsExtension.POINTS); } Set results = new HashSet(); - DistributionPointFetcher dpf = - DistributionPointFetcher.getInstance(); for (Iterator t = points.iterator(); t.hasNext() && !Arrays.equals(reasonsMask, ALL_REASONS); ) { DistributionPoint point = t.next(); for (X509CRL crl : crls) { - if (dpf.verifyCRL(certImpl, point, crl, reasonsMask, - signFlag, prevKey, mSigProvider, + if (DistributionPointFetcher.verifyCRL(certImpl, point, crl, + reasonsMask, signFlag, prevKey, mSigProvider, trustAnchors, mStores, mParams.getDate())) { results.add(crl); } diff -r 166a090d3fd4 -r 452cb039dfd2 src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java --- a/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Wed May 01 21:02:04 2013 +0100 +++ b/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Wed Jun 26 22:37:21 2013 -0500 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -50,7 +50,7 @@ * @author Sean Mullan * @since 1.4.2 */ -class DistributionPointFetcher { +public class DistributionPointFetcher { private static final Debug debug = Debug.getInstance("certpath"); @@ -65,34 +65,28 @@ private final static boolean USE_CRLDP = AccessController.doPrivileged (new GetBooleanAction("com.sun.security.enableCRLDP")); - // singleton instance - private static final DistributionPointFetcher INSTANCE = - new DistributionPointFetcher(); - /** * Private instantiation only. */ private DistributionPointFetcher() {} /** - * Return a DistributionPointFetcher instance. - */ - static DistributionPointFetcher getInstance() { - return INSTANCE; - } - - /** * Return the X509CRLs matching this selector. The selector must be * an X509CRLSelector with certificateChecking set. * * If CRLDP support is disabled, this method always returns an * empty set. */ - Collection getCRLs(X509CRLSelector selector, boolean signFlag, - PublicKey prevKey, String provider, List certStores, - boolean[] reasonsMask, Set trustAnchors, - Date validity) throws CertStoreException { - + public static Collection getCRLs(X509CRLSelector selector, + boolean signFlag, + PublicKey prevKey, + String provider, + List certStores, + boolean[] reasonsMask, + Set trustAnchors, + Date validity) + throws CertStoreException + { if (USE_CRLDP == false) { return Collections.emptySet(); } @@ -140,7 +134,7 @@ * Download CRLs from the given distribution point, verify and return them. * See the top of the class for current limitations. */ - private Collection getCRLs(X509CRLSelector selector, + private static Collection getCRLs(X509CRLSelector selector, X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask, boolean signFlag, PublicKey prevKey, String provider, List certStores, Set trustAnchors, @@ -214,7 +208,7 @@ /** * Download CRL from given URI. */ - private X509CRL getCRL(URIName name) { + private static X509CRL getCRL(URIName name) { URI uri = name.getURI(); if (debug != null) { debug.println("Trying to fetch CRL from DP " + uri); @@ -240,7 +234,7 @@ /** * Fetch CRLs from certStores. */ - private Collection getCRLs(X500Name name, + private static Collection getCRLs(X500Name name, X500Principal certIssuer, List certStores) { if (debug != null) { @@ -285,7 +279,7 @@ * certification path should be determined * @return true if ok, false if not */ - boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point, + static boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point, X509CRL crl, boolean[] reasonsMask, boolean signFlag, PublicKey prevKey, String provider, Set trustAnchors, List certStores, @@ -670,7 +664,7 @@ * Append relative name to the issuer name and return a new * GeneralNames object. */ - private GeneralNames getFullNames(X500Name issuer, RDN rdn) + private static GeneralNames getFullNames(X500Name issuer, RDN rdn) throws IOException { List rdns = new ArrayList(issuer.rdns()); rdns.add(rdn); diff -r 166a090d3fd4 -r 452cb039dfd2 src/share/classes/sun/security/provider/certpath/OCSPResponse.java --- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Wed May 01 21:02:04 2013 +0100 +++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Wed Jun 26 22:37:21 2013 -0500 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -40,6 +40,7 @@ import java.util.List; import java.util.Map; import sun.misc.HexDumpEncoder; +import sun.security.action.GetIntegerAction; import sun.security.x509.*; import sun.security.util.*; @@ -147,9 +148,31 @@ private final ResponseStatus responseStatus; private final Map singleResponseMap; - // Maximum clock skew in milliseconds (15 minutes) allowed when checking - // validity of OCSP responses - private static final long MAX_CLOCK_SKEW = 900000; + // Default maximum clock skew in milliseconds (15 minutes) + // allowed when checking validity of OCSP responses + private static final int DEFAULT_MAX_CLOCK_SKEW = 900000; + + /** + * Integer value indicating the maximum allowable clock skew, in seconds, + * to be used for the OCSP check. + */ + private static final int MAX_CLOCK_SKEW = initializeClockSkew(); + + /** + * Initialize the maximum allowable clock skew by getting the OCSP + * clock skew system property. If the property has not been set, or if its + * value is negative, set the skew to the default. + */ + private static int initializeClockSkew() { + Integer tmp = java.security.AccessController.doPrivileged( + new GetIntegerAction("com.sun.security.ocsp.clockSkew")); + if (tmp == null || tmp < 0) { + return DEFAULT_MAX_CLOCK_SKEW; + } + // Convert to milliseconds, as the system property will be + // specified in seconds + return tmp * 1000; + } // an array of all of the CRLReasons (used in SingleResponse) private static CRLReason[] values = CRLReason.values(); diff -r 166a090d3fd4 -r 452cb039dfd2 src/share/classes/sun/security/provider/certpath/URICertStore.java --- a/src/share/classes/sun/security/provider/certpath/URICertStore.java Wed May 01 21:02:04 2013 +0100 +++ b/src/share/classes/sun/security/provider/certpath/URICertStore.java Wed Jun 26 22:37:21 2013 -0500 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -53,6 +53,7 @@ import java.util.Collections; import java.util.List; import java.util.Locale; +import sun.security.action.GetIntegerAction; import sun.security.x509.AccessDescription; import sun.security.x509.GeneralNameInterface; import sun.security.x509.URIName; @@ -149,6 +150,33 @@ } } + // Default maximum connect timeout in milliseconds (15 seconds) + // allowed when downloading CRLs + private static final int DEFAULT_CRL_CONNECT_TIMEOUT = 15000; + + /** + * Integer value indicating the connect timeout, in seconds, to be + * used for the CRL download. A timeout of zero is interpreted as + * an infinite timeout. + */ + private static final int CRL_CONNECT_TIMEOUT = initializeTimeout(); + + /** + * Initialize the timeout length by getting the CRL timeout + * system property. If the property has not been set, or if its + * value is negative, set the timeout length to the default. + */ + private static int initializeTimeout() { + Integer tmp = java.security.AccessController.doPrivileged( + new GetIntegerAction("com.sun.security.crl.timeout")); + if (tmp == null || tmp < 0) { + return DEFAULT_CRL_CONNECT_TIMEOUT; + } + // Convert to milliseconds, as the system property will be + // specified in seconds + return tmp * 1000; + } + /** * Creates a URICertStore. * @@ -395,6 +423,7 @@ if (lastModified != 0) { connection.setIfModifiedSince(lastModified); } + connection.setConnectTimeout(CRL_CONNECT_TIMEOUT); in = connection.getInputStream(); long oldLastModified = lastModified; lastModified = connection.getLastModified();