-
Bug
-
Resolution: Not an Issue
-
P3
-
None
-
8, 9
-
None
PKIX certpath validation is normally performed using the current time. It may also be requested to be performed at a specific time in the past by calling PKIXParameters.setDate() method.
PKIX revocation checker can use CRL to check revocation status of certificate. CRLs have a specific validity interval. Revocation checker examines that validity interval to ensure that a CRL is still current. This check seems to be performed incorrectly for backdated enquiries when a date in the past was set by calling PKIXParameters.setDate() method.
Revocation checker uses X509CRLSelector to retrieve appropriate CRLs:
http://hg.openjdk.java.net/jdk9/dev/jdk/file/58ec14da9fe8/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java#l492
...
CertPathHelper.setDateAndTime(sel, params.date(), MAX_CLOCK_SKEW);
// First, check user-specified CertStores
CertPathValidatorException networkFailureException = null;
for (CertStore store : certStores) {
try {
for (CRL crl : store.getCRLs(sel)) {
possibleCRLs.add((X509CRL)crl);
}
...
There is a check for CRL valid period in X509CRLSelector:
http://hg.openjdk.java.net/jdk9/dev/jdk/file/58ec14da9fe8/src/java.base/share/classes/java/security/cert/X509CRLSelector.java#l682
...
if (nowMinusSkew.after(nextUpdate)
|| nowPlusSkew.before(crlThisUpdate)) {
if (debug != null) {
debug.println("X509CRLSelector.match: update out of range");
}
return false;
}
...
nowPlusSkew.before(crlThisUpdate) returns false for backdated enquiries if up-to-date CRL is used (for example, that was retrieved from CRLDP extension). As a result, the CRL is not used to check revocation status.
There was a similar issue for OCSP revocation checking, please seeJDK-8020940.
PKIX revocation checker can use CRL to check revocation status of certificate. CRLs have a specific validity interval. Revocation checker examines that validity interval to ensure that a CRL is still current. This check seems to be performed incorrectly for backdated enquiries when a date in the past was set by calling PKIXParameters.setDate() method.
Revocation checker uses X509CRLSelector to retrieve appropriate CRLs:
http://hg.openjdk.java.net/jdk9/dev/jdk/file/58ec14da9fe8/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java#l492
...
CertPathHelper.setDateAndTime(sel, params.date(), MAX_CLOCK_SKEW);
// First, check user-specified CertStores
CertPathValidatorException networkFailureException = null;
for (CertStore store : certStores) {
try {
for (CRL crl : store.getCRLs(sel)) {
possibleCRLs.add((X509CRL)crl);
}
...
There is a check for CRL valid period in X509CRLSelector:
http://hg.openjdk.java.net/jdk9/dev/jdk/file/58ec14da9fe8/src/java.base/share/classes/java/security/cert/X509CRLSelector.java#l682
...
if (nowMinusSkew.after(nextUpdate)
|| nowPlusSkew.before(crlThisUpdate)) {
if (debug != null) {
debug.println("X509CRLSelector.match: update out of range");
}
return false;
}
...
nowPlusSkew.before(crlThisUpdate) returns false for backdated enquiries if up-to-date CRL is used (for example, that was retrieved from CRLDP extension). As a result, the CRL is not used to check revocation status.
There was a similar issue for OCSP revocation checking, please see
- relates to
-
-
- Closed
-