Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8072067

Valid CRL is rejected for backdated enquiries

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P3
    • Resolution: Not an Issue
    • Affects Version/s: 8, 9
    • Fix Version/s: None
    • Component/s: security-libs
    • Labels:
      None

      Description

      PKIX certpath validation is normally performed using the current time. It may also be requested to be performed at a specific time in the past by calling PKIXParameters.setDate() method.

      PKIX revocation checker can use CRL to check revocation status of certificate. CRLs have a specific validity interval. Revocation checker examines that validity interval to ensure that a CRL is still current. This check seems to be performed incorrectly for backdated enquiries when a date in the past was set by calling PKIXParameters.setDate() method.

      Revocation checker uses X509CRLSelector to retrieve appropriate CRLs:

      http://hg.openjdk.java.net/jdk9/dev/jdk/file/58ec14da9fe8/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java#l492

      ...
              CertPathHelper.setDateAndTime(sel, params.date(), MAX_CLOCK_SKEW);

              // First, check user-specified CertStores
              CertPathValidatorException networkFailureException = null;
              for (CertStore store : certStores) {
                  try {
                      for (CRL crl : store.getCRLs(sel)) {
                          possibleCRLs.add((X509CRL)crl);
                      }
      ...

      There is a check for CRL valid period in X509CRLSelector:

      http://hg.openjdk.java.net/jdk9/dev/jdk/file/58ec14da9fe8/src/java.base/share/classes/java/security/cert/X509CRLSelector.java#l682

      ...
                  if (nowMinusSkew.after(nextUpdate)
                      || nowPlusSkew.before(crlThisUpdate)) {
                      if (debug != null) {
                          debug.println("X509CRLSelector.match: update out of range");
                      }
                      return false;
                  }
      ...

      nowPlusSkew.before(crlThisUpdate) returns false for backdated enquiries if up-to-date CRL is used (for example, that was retrieved from CRLDP extension). As a result, the CRL is not used to check revocation status.

      There was a similar issue for OCSP revocation checking, please see JDK-8020940.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mullan Sean Mullan
                Reporter:
                asmotrak Artem Smotrakov
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: