archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-09-21 19:44:41 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout

Browse source 
Reviewed-by: vinnie
This commit is contained in:
Sean Mullan 2013-04-25 15:48:11 -04:00
parent 03a7499322
commit a618ff7cf9
4 changed files with 67 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

2
jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java
View file

@ -64,7 +64,7 @@ public abstract class CertPathHelper {
instance.implSetPathToNames(sel, names); instance.implSetPathToNames(sel, names);
} }
static void setDateAndTime(X509CRLSelector sel, Date date, long skew) { public static void setDateAndTime(X509CRLSelector sel, Date date, long skew) {
instance.implSetDateAndTime(sel, date, skew); instance.implSetDateAndTime(sel, date, skew);
} }
} }

17
jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
View file

@ -50,7 +50,7 @@ import sun.security.x509.*;
* @author Sean Mullan * @author Sean Mullan
* @since 1.4.2 * @since 1.4.2
*/ */
class DistributionPointFetcher { public class DistributionPointFetcher {
private static final Debug debug = Debug.getInstance("certpath"); private static final Debug debug = Debug.getInstance("certpath");
@ -66,13 +66,14 @@ class DistributionPointFetcher {
* Return the X509CRLs matching this selector. The selector must be * Return the X509CRLs matching this selector. The selector must be
* an X509CRLSelector with certificateChecking set. * an X509CRLSelector with certificateChecking set.
*/ */
static Collection<X509CRL> getCRLs(X509CRLSelector selector, public static Collection<X509CRL> getCRLs(X509CRLSelector selector,
boolean signFlag, PublicKey prevKey, boolean signFlag,
String provider, PublicKey prevKey,
List<CertStore> certStores, String provider,
boolean[] reasonsMask, List<CertStore> certStores,
Set<TrustAnchor> trustAnchors, boolean[] reasonsMask,
Date validity) Set<TrustAnchor> trustAnchors,
Date validity)
throws CertStoreException throws CertStoreException
{ {
X509Certificate cert = selector.getCertificateChecking(); X509Certificate cert = selector.getCertificateChecking();

31
jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -43,6 +43,7 @@ import java.util.Map;
import javax.security.auth.x500.X500Principal; import javax.security.auth.x500.X500Principal;
import sun.misc.HexDumpEncoder; import sun.misc.HexDumpEncoder;
import sun.security.action.GetIntegerAction;
import sun.security.x509.*; import sun.security.x509.*;
import sun.security.util.*; import sun.security.util.*;
@ -144,9 +145,31 @@ public final class OCSPResponse {
// Object identifier for the OCSPSigning key purpose // Object identifier for the OCSPSigning key purpose
private static final String KP_OCSP_SIGNING_OID = "1.3.6.1.5.5.7.3.9"; private static final String KP_OCSP_SIGNING_OID = "1.3.6.1.5.5.7.3.9";
// Maximum clock skew in milliseconds (15 minutes) allowed when checking // Default maximum clock skew in milliseconds (15 minutes)
// validity of OCSP responses // allowed when checking validity of OCSP responses
private static final long MAX_CLOCK_SKEW = 900000; private static final int DEFAULT_MAX_CLOCK_SKEW = 900000;
/**
* Integer value indicating the maximum allowable clock skew, in seconds,
* to be used for the OCSP check.
*/
private static final int MAX_CLOCK_SKEW = initializeClockSkew();
/**
* Initialize the maximum allowable clock skew by getting the OCSP
* clock skew system property. If the property has not been set, or if its
* value is negative, set the skew to the default.
*/
private static int initializeClockSkew() {
Integer tmp = java.security.AccessController.doPrivileged(
new GetIntegerAction("com.sun.security.ocsp.clockSkew"));
if (tmp == null || tmp < 0) {
return DEFAULT_MAX_CLOCK_SKEW;
}
// Convert to milliseconds, as the system property will be
// specified in seconds
return tmp * 1000;
}
// an array of all of the CRLReasons (used in SingleResponse) // an array of all of the CRLReasons (used in SingleResponse)
private static CRLReason[] values = CRLReason.values(); private static CRLReason[] values = CRLReason.values();

31
jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -51,6 +51,7 @@ import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import java.util.List; import java.util.List;
import java.util.Locale; import java.util.Locale;
import sun.security.action.GetIntegerAction;
import sun.security.x509.AccessDescription; import sun.security.x509.AccessDescription;
import sun.security.x509.GeneralNameInterface; import sun.security.x509.GeneralNameInterface;
import sun.security.x509.URIName; import sun.security.x509.URIName;
@ -121,6 +122,33 @@ class URICertStore extends CertStoreSpi {
private CertStore ldapCertStore; private CertStore ldapCertStore;
private String ldapPath; private String ldapPath;
// Default maximum connect timeout in milliseconds (15 seconds)
// allowed when downloading CRLs
private static final int DEFAULT_CRL_CONNECT_TIMEOUT = 15000;
/**
* Integer value indicating the connect timeout, in seconds, to be
* used for the CRL download. A timeout of zero is interpreted as
* an infinite timeout.
*/
private static final int CRL_CONNECT_TIMEOUT = initializeTimeout();
/**
* Initialize the timeout length by getting the CRL timeout
* system property. If the property has not been set, or if its
* value is negative, set the timeout length to the default.
*/
private static int initializeTimeout() {
Integer tmp = java.security.AccessController.doPrivileged(
new GetIntegerAction("com.sun.security.crl.timeout"));
if (tmp == null || tmp < 0) {
return DEFAULT_CRL_CONNECT_TIMEOUT;
}
// Convert to milliseconds, as the system property will be
// specified in seconds
return tmp * 1000;
}
/** /**
* Creates a URICertStore. * Creates a URICertStore.
* *
@ -364,6 +392,7 @@ class URICertStore extends CertStoreSpi {
connection.setIfModifiedSince(lastModified); connection.setIfModifiedSince(lastModified);
} }
long oldLastModified = lastModified; long oldLastModified = lastModified;
connection.setConnectTimeout(CRL_CONNECT_TIMEOUT);
try (InputStream in = connection.getInputStream()) { try (InputStream in = connection.getInputStream()) {
lastModified = connection.getLastModified(); lastModified = connection.getLastModified();
if (oldLastModified != 0) { if (oldLastModified != 0) {