Mercurial > hg > release > icedtea7-forest-2.2 > jdk

--- a/src/share/classes/sun/security/provider/certpath/CertPathHelper.java	Wed May 01 21:02:04 2013 +0100
+++ b/src/share/classes/sun/security/provider/certpath/CertPathHelper.java	Wed Jun 26 22:37:21 2013 -0500
@@ -64,7 +64,7 @@
         instance.implSetPathToNames(sel, names);
     }

-    static void setDateAndTime(X509CRLSelector sel, Date date, long skew) {
+    public static void setDateAndTime(X509CRLSelector sel, Date date, long skew) {
         instance.implSetDateAndTime(sel, date, skew);
     }
 }
--- a/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java	Wed May 01 21:02:04 2013 +0100
+++ b/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java	Wed Jun 26 22:37:21 2013 -0500
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -308,11 +308,9 @@
                     mPossibleCRLs.add((X509CRL)crl);
                 }
             }
-            DistributionPointFetcher store =
-                DistributionPointFetcher.getInstance();
             // all CRLs returned by the DP Fetcher have also been verified
-            mApprovedCRLs.addAll(store.getCRLs(sel, signFlag, prevKey,
-                mSigProvider, mStores, reasonsMask, trustAnchors,
+            mApprovedCRLs.addAll(DistributionPointFetcher.getCRLs(sel, signFlag,
+                prevKey, mSigProvider, mStores, reasonsMask, trustAnchors,
                 mParams.getDate()));
         } catch (Exception e) {
             if (debug != null) {
@@ -762,14 +760,12 @@
                                         CRLDistributionPointsExtension.POINTS);
             }
             Set<X509CRL> results = new HashSet<X509CRL>();
-            DistributionPointFetcher dpf =
-                DistributionPointFetcher.getInstance();
             for (Iterator<DistributionPoint> t = points.iterator();
                  t.hasNext() && !Arrays.equals(reasonsMask, ALL_REASONS); ) {
                 DistributionPoint point = t.next();
                 for (X509CRL crl : crls) {
-                    if (dpf.verifyCRL(certImpl, point, crl, reasonsMask,
-                            signFlag, prevKey, mSigProvider,
+                    if (DistributionPointFetcher.verifyCRL(certImpl, point, crl,
+                            reasonsMask, signFlag, prevKey, mSigProvider,
                             trustAnchors, mStores, mParams.getDate())) {
                         results.add(crl);
                     }
--- a/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java	Wed May 01 21:02:04 2013 +0100
+++ b/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java	Wed Jun 26 22:37:21 2013 -0500
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -50,7 +50,7 @@
  * @author Sean Mullan
  * @since 1.4.2
  */
-class DistributionPointFetcher {
+public class DistributionPointFetcher {

     private static final Debug debug = Debug.getInstance("certpath");

@@ -65,34 +65,28 @@
     private final static boolean USE_CRLDP = AccessController.doPrivileged
         (new GetBooleanAction("com.sun.security.enableCRLDP"));

-    // singleton instance
-    private static final DistributionPointFetcher INSTANCE =
-        new DistributionPointFetcher();
-
     /**
      * Private instantiation only.
      */
     private DistributionPointFetcher() {}

     /**
-     * Return a DistributionPointFetcher instance.
-     */
-    static DistributionPointFetcher getInstance() {
-        return INSTANCE;
-    }
-
-    /**
      * Return the X509CRLs matching this selector. The selector must be
      * an X509CRLSelector with certificateChecking set.
      *
      * If CRLDP support is disabled, this method always returns an
      * empty set.
      */
-    Collection<X509CRL> getCRLs(X509CRLSelector selector, boolean signFlag,
-        PublicKey prevKey, String provider, List<CertStore> certStores,
-        boolean[] reasonsMask, Set<TrustAnchor> trustAnchors,
-        Date validity) throws CertStoreException {
-
+    public static Collection<X509CRL> getCRLs(X509CRLSelector selector,
+                                              boolean signFlag,
+                                              PublicKey prevKey,
+                                              String provider,
+                                              List<CertStore> certStores,
+                                              boolean[] reasonsMask,
+                                              Set<TrustAnchor> trustAnchors,
+                                              Date validity)
+        throws CertStoreException
+    {
         if (USE_CRLDP == false) {
             return Collections.emptySet();
         }
@@ -140,7 +134,7 @@
      * Download CRLs from the given distribution point, verify and return them.
      * See the top of the class for current limitations.
      */
-    private Collection<X509CRL> getCRLs(X509CRLSelector selector,
+    private static Collection<X509CRL> getCRLs(X509CRLSelector selector,
         X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask,
         boolean signFlag, PublicKey prevKey, String provider,
         List<CertStore> certStores, Set<TrustAnchor> trustAnchors,
@@ -214,7 +208,7 @@
     /**
      * Download CRL from given URI.
      */
-    private X509CRL getCRL(URIName name) {
+    private static X509CRL getCRL(URIName name) {
         URI uri = name.getURI();
         if (debug != null) {
             debug.println("Trying to fetch CRL from DP " + uri);
@@ -240,7 +234,7 @@
     /**
      * Fetch CRLs from certStores.
      */
-    private Collection<X509CRL> getCRLs(X500Name name,
+    private static Collection<X509CRL> getCRLs(X500Name name,
         X500Principal certIssuer, List<CertStore> certStores)
     {
         if (debug != null) {
@@ -285,7 +279,7 @@
      *        certification path should be determined
      * @return true if ok, false if not
      */
-    boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point,
+    static boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point,
         X509CRL crl, boolean[] reasonsMask, boolean signFlag,
         PublicKey prevKey, String provider,
         Set<TrustAnchor> trustAnchors, List<CertStore> certStores,
@@ -670,7 +664,7 @@
      * Append relative name to the issuer name and return a new
      * GeneralNames object.
      */
-    private GeneralNames getFullNames(X500Name issuer, RDN rdn)
+    private static GeneralNames getFullNames(X500Name issuer, RDN rdn)
         throws IOException {
         List<RDN> rdns = new ArrayList<RDN>(issuer.rdns());
         rdns.add(rdn);
--- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Wed May 01 21:02:04 2013 +0100
+++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Wed Jun 26 22:37:21 2013 -0500
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -40,6 +40,7 @@
 import java.util.List;
 import java.util.Map;
 import sun.misc.HexDumpEncoder;
+import sun.security.action.GetIntegerAction;
 import sun.security.x509.*;
 import sun.security.util.*;

@@ -147,9 +148,31 @@
     private final ResponseStatus responseStatus;
     private final Map<CertId, SingleResponse> singleResponseMap;

-    // Maximum clock skew in milliseconds (15 minutes) allowed when checking
-    // validity of OCSP responses
-    private static final long MAX_CLOCK_SKEW = 900000;
+    // Default maximum clock skew in milliseconds (15 minutes)
+    // allowed when checking validity of OCSP responses
+    private static final int DEFAULT_MAX_CLOCK_SKEW = 900000;
+
+    /**
+     * Integer value indicating the maximum allowable clock skew, in seconds,
+     * to be used for the OCSP check.
+     */
+    private static final int MAX_CLOCK_SKEW = initializeClockSkew();
+
+    /**
+     * Initialize the maximum allowable clock skew by getting the OCSP
+     * clock skew system property. If the property has not been set, or if its
+     * value is negative, set the skew to the default.
+     */
+    private static int initializeClockSkew() {
+        Integer tmp = java.security.AccessController.doPrivileged(
+                new GetIntegerAction("com.sun.security.ocsp.clockSkew"));
+        if (tmp == null || tmp < 0) {
+            return DEFAULT_MAX_CLOCK_SKEW;
+        }
+        // Convert to milliseconds, as the system property will be
+        // specified in seconds
+        return tmp * 1000;
+    }

     // an array of all of the CRLReasons (used in SingleResponse)
     private static CRLReason[] values = CRLReason.values();
--- a/src/share/classes/sun/security/provider/certpath/URICertStore.java	Wed May 01 21:02:04 2013 +0100
+++ b/src/share/classes/sun/security/provider/certpath/URICertStore.java	Wed Jun 26 22:37:21 2013 -0500
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -53,6 +53,7 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
+import sun.security.action.GetIntegerAction;
 import sun.security.x509.AccessDescription;
 import sun.security.x509.GeneralNameInterface;
 import sun.security.x509.URIName;
@@ -149,6 +150,33 @@
         }
     }

+    // Default maximum connect timeout in milliseconds (15 seconds)
+    // allowed when downloading CRLs
+    private static final int DEFAULT_CRL_CONNECT_TIMEOUT = 15000;
+
+    /**
+     * Integer value indicating the connect timeout, in seconds, to be
+     * used for the CRL download. A timeout of zero is interpreted as
+     * an infinite timeout.
+     */
+    private static final int CRL_CONNECT_TIMEOUT = initializeTimeout();
+
+    /**
+     * Initialize the timeout length by getting the CRL timeout
+     * system property. If the property has not been set, or if its
+     * value is negative, set the timeout length to the default.
+     */
+    private static int initializeTimeout() {
+        Integer tmp = java.security.AccessController.doPrivileged(
+                new GetIntegerAction("com.sun.security.crl.timeout"));
+        if (tmp == null || tmp < 0) {
+            return DEFAULT_CRL_CONNECT_TIMEOUT;
+        }
+        // Convert to milliseconds, as the system property will be
+        // specified in seconds
+        return tmp * 1000;
+    }
+
     /**
      * Creates a URICertStore.
      *
@@ -395,6 +423,7 @@
             if (lastModified != 0) {
                 connection.setIfModifiedSince(lastModified);
             }
+            connection.setConnectTimeout(CRL_CONNECT_TIMEOUT);
             in = connection.getInputStream();
             long oldLastModified = lastModified;
             lastModified = connection.getLastModified();