Mercurial > hg > release > icedtea7-forest-2.5 > jdk
changeset 6699:023297d5b047 jdk7u25-b09
8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout
Reviewed-by: vinnie
author | mullan |
---|---|
date | Fri, 26 Apr 2013 10:41:35 -0700 |
parents | 51d6934d1d7d |
children | 11616f222415 |
files | src/share/classes/sun/security/provider/certpath/CertPathHelper.java src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java src/share/classes/sun/security/provider/certpath/OCSPResponse.java src/share/classes/sun/security/provider/certpath/URICertStore.java |
diffstat | 5 files changed, 80 insertions(+), 38 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/provider/certpath/CertPathHelper.java Thu Apr 25 14:45:16 2013 -0700 +++ b/src/share/classes/sun/security/provider/certpath/CertPathHelper.java Fri Apr 26 10:41:35 2013 -0700 @@ -64,7 +64,7 @@ instance.implSetPathToNames(sel, names); } - static void setDateAndTime(X509CRLSelector sel, Date date, long skew) { + public static void setDateAndTime(X509CRLSelector sel, Date date, long skew) { instance.implSetDateAndTime(sel, date, skew); } }
--- a/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java Thu Apr 25 14:45:16 2013 -0700 +++ b/src/share/classes/sun/security/provider/certpath/CrlRevocationChecker.java Fri Apr 26 10:41:35 2013 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -308,11 +308,9 @@ mPossibleCRLs.add((X509CRL)crl); } } - DistributionPointFetcher store = - DistributionPointFetcher.getInstance(); // all CRLs returned by the DP Fetcher have also been verified - mApprovedCRLs.addAll(store.getCRLs(sel, signFlag, prevKey, - mSigProvider, mStores, reasonsMask, trustAnchors, + mApprovedCRLs.addAll(DistributionPointFetcher.getCRLs(sel, signFlag, + prevKey, mSigProvider, mStores, reasonsMask, trustAnchors, mParams.getDate())); } catch (Exception e) { if (debug != null) { @@ -762,14 +760,12 @@ CRLDistributionPointsExtension.POINTS); } Set<X509CRL> results = new HashSet<X509CRL>(); - DistributionPointFetcher dpf = - DistributionPointFetcher.getInstance(); for (Iterator<DistributionPoint> t = points.iterator(); t.hasNext() && !Arrays.equals(reasonsMask, ALL_REASONS); ) { DistributionPoint point = t.next(); for (X509CRL crl : crls) { - if (dpf.verifyCRL(certImpl, point, crl, reasonsMask, - signFlag, prevKey, mSigProvider, + if (DistributionPointFetcher.verifyCRL(certImpl, point, crl, + reasonsMask, signFlag, prevKey, mSigProvider, trustAnchors, mStores, mParams.getDate())) { results.add(crl); }
--- a/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Thu Apr 25 14:45:16 2013 -0700 +++ b/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Fri Apr 26 10:41:35 2013 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -50,7 +50,7 @@ * @author Sean Mullan * @since 1.4.2 */ -class DistributionPointFetcher { +public class DistributionPointFetcher { private static final Debug debug = Debug.getInstance("certpath"); @@ -65,34 +65,28 @@ private final static boolean USE_CRLDP = AccessController.doPrivileged (new GetBooleanAction("com.sun.security.enableCRLDP")); - // singleton instance - private static final DistributionPointFetcher INSTANCE = - new DistributionPointFetcher(); - /** * Private instantiation only. */ private DistributionPointFetcher() {} /** - * Return a DistributionPointFetcher instance. - */ - static DistributionPointFetcher getInstance() { - return INSTANCE; - } - - /** * Return the X509CRLs matching this selector. The selector must be * an X509CRLSelector with certificateChecking set. * * If CRLDP support is disabled, this method always returns an * empty set. */ - Collection<X509CRL> getCRLs(X509CRLSelector selector, boolean signFlag, - PublicKey prevKey, String provider, List<CertStore> certStores, - boolean[] reasonsMask, Set<TrustAnchor> trustAnchors, - Date validity) throws CertStoreException { - + public static Collection<X509CRL> getCRLs(X509CRLSelector selector, + boolean signFlag, + PublicKey prevKey, + String provider, + List<CertStore> certStores, + boolean[] reasonsMask, + Set<TrustAnchor> trustAnchors, + Date validity) + throws CertStoreException + { if (USE_CRLDP == false) { return Collections.emptySet(); } @@ -140,7 +134,7 @@ * Download CRLs from the given distribution point, verify and return them. * See the top of the class for current limitations. */ - private Collection<X509CRL> getCRLs(X509CRLSelector selector, + private static Collection<X509CRL> getCRLs(X509CRLSelector selector, X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask, boolean signFlag, PublicKey prevKey, String provider, List<CertStore> certStores, Set<TrustAnchor> trustAnchors, @@ -214,7 +208,7 @@ /** * Download CRL from given URI. */ - private X509CRL getCRL(URIName name) { + private static X509CRL getCRL(URIName name) { URI uri = name.getURI(); if (debug != null) { debug.println("Trying to fetch CRL from DP " + uri); @@ -240,7 +234,7 @@ /** * Fetch CRLs from certStores. */ - private Collection<X509CRL> getCRLs(X500Name name, + private static Collection<X509CRL> getCRLs(X500Name name, X500Principal certIssuer, List<CertStore> certStores) { if (debug != null) { @@ -285,7 +279,7 @@ * certification path should be determined * @return true if ok, false if not */ - boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point, + static boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point, X509CRL crl, boolean[] reasonsMask, boolean signFlag, PublicKey prevKey, String provider, Set<TrustAnchor> trustAnchors, List<CertStore> certStores, @@ -670,7 +664,7 @@ * Append relative name to the issuer name and return a new * GeneralNames object. */ - private GeneralNames getFullNames(X500Name issuer, RDN rdn) + private static GeneralNames getFullNames(X500Name issuer, RDN rdn) throws IOException { List<RDN> rdns = new ArrayList<RDN>(issuer.rdns()); rdns.add(rdn);
--- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Thu Apr 25 14:45:16 2013 -0700 +++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Fri Apr 26 10:41:35 2013 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -41,6 +41,7 @@ import java.util.List; import java.util.Map; import sun.misc.HexDumpEncoder; +import sun.security.action.GetIntegerAction; import sun.security.x509.*; import sun.security.util.*; @@ -148,9 +149,31 @@ private final ResponseStatus responseStatus; private final Map<CertId, SingleResponse> singleResponseMap; - // Maximum clock skew in milliseconds (15 minutes) allowed when checking - // validity of OCSP responses - private static final long MAX_CLOCK_SKEW = 900000; + // Default maximum clock skew in milliseconds (15 minutes) + // allowed when checking validity of OCSP responses + private static final int DEFAULT_MAX_CLOCK_SKEW = 900000; + + /** + * Integer value indicating the maximum allowable clock skew, in seconds, + * to be used for the OCSP check. + */ + private static final int MAX_CLOCK_SKEW = initializeClockSkew(); + + /** + * Initialize the maximum allowable clock skew by getting the OCSP + * clock skew system property. If the property has not been set, or if its + * value is negative, set the skew to the default. + */ + private static int initializeClockSkew() { + Integer tmp = java.security.AccessController.doPrivileged( + new GetIntegerAction("com.sun.security.ocsp.clockSkew")); + if (tmp == null || tmp < 0) { + return DEFAULT_MAX_CLOCK_SKEW; + } + // Convert to milliseconds, as the system property will be + // specified in seconds + return tmp * 1000; + } // an array of all of the CRLReasons (used in SingleResponse) private static CRLReason[] values = CRLReason.values();
--- a/src/share/classes/sun/security/provider/certpath/URICertStore.java Thu Apr 25 14:45:16 2013 -0700 +++ b/src/share/classes/sun/security/provider/certpath/URICertStore.java Fri Apr 26 10:41:35 2013 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -53,6 +53,7 @@ import java.util.Collections; import java.util.List; import java.util.Locale; +import sun.security.action.GetIntegerAction; import sun.security.x509.AccessDescription; import sun.security.x509.GeneralNameInterface; import sun.security.x509.URIName; @@ -149,6 +150,33 @@ } } + // Default maximum connect timeout in milliseconds (15 seconds) + // allowed when downloading CRLs + private static final int DEFAULT_CRL_CONNECT_TIMEOUT = 15000; + + /** + * Integer value indicating the connect timeout, in seconds, to be + * used for the CRL download. A timeout of zero is interpreted as + * an infinite timeout. + */ + private static final int CRL_CONNECT_TIMEOUT = initializeTimeout(); + + /** + * Initialize the timeout length by getting the CRL timeout + * system property. If the property has not been set, or if its + * value is negative, set the timeout length to the default. + */ + private static int initializeTimeout() { + Integer tmp = java.security.AccessController.doPrivileged( + new GetIntegerAction("com.sun.security.crl.timeout")); + if (tmp == null || tmp < 0) { + return DEFAULT_CRL_CONNECT_TIMEOUT; + } + // Convert to milliseconds, as the system property will be + // specified in seconds + return tmp * 1000; + } + /** * Creates a URICertStore. * @@ -395,6 +423,7 @@ if (lastModified != 0) { connection.setIfModifiedSince(lastModified); } + connection.setConnectTimeout(CRL_CONNECT_TIMEOUT); in = connection.getInputStream(); long oldLastModified = lastModified; lastModified = connection.getLastModified();