Skip to content
Permalink
Browse files

8238452: Keytool generates wrong expiration date if validity is set t…

…o 2050/01/01

Reviewed-by: pkoppula, weijun, coffeys
  • Loading branch information
raviniitw2012 authored and coffeys committed Feb 26, 2020
1 parent b08595d commit 9b12c80e211cf466ce1a880f312d15e4ebb20780
@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -51,7 +51,10 @@
public static final String NAME = "validity";
public static final String NOT_BEFORE = "notBefore";
public static final String NOT_AFTER = "notAfter";
private static final long YR_2050 = 2524636800000L;
/**
* YR_2050 date and time set to Jan01 00:00 2050 GMT
*/
static final long YR_2050 = 2524608000000L;

// Private data members
private Date notBefore;
@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -77,7 +77,6 @@
private X500Principal certIssuer;

private static final boolean isExplicit = false;
private static final long YR_2050 = 2524636800000L;

/**
* Constructs a revoked certificate entry using the given
@@ -162,7 +161,7 @@ public void encode(DerOutputStream outStrm) throws CRLException {
// sequence { serialNumber, revocationDate, extensions }
serialNumber.encode(tmp);

if (revocationDate.getTime() < YR_2050) {
if (revocationDate.getTime() < CertificateValidity.YR_2050) {
tmp.putUTCTime(revocationDate);
} else {
tmp.putGeneralizedTime(revocationDate);
@@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -99,7 +99,6 @@
private List<X509CRLEntry> revokedList = new LinkedList<>();
private CRLExtensions extensions = null;
private static final boolean isExplicit = true;
private static final long YR_2050 = 2524636800000L;

private boolean readOnly = false;

@@ -286,13 +285,13 @@ public void encodeInfo(OutputStream out) throws CRLException {
throw new CRLException("Null Issuer DN not allowed in v1 CRL");
issuer.encode(tmp);

if (thisUpdate.getTime() < YR_2050)
if (thisUpdate.getTime() < CertificateValidity.YR_2050)
tmp.putUTCTime(thisUpdate);
else
tmp.putGeneralizedTime(thisUpdate);

if (nextUpdate != null) {
if (nextUpdate.getTime() < YR_2050)
if (nextUpdate.getTime() < CertificateValidity.YR_2050)
tmp.putUTCTime(nextUpdate);
else
tmp.putGeneralizedTime(nextUpdate);
@@ -0,0 +1,60 @@
/*
* Copyright (c) 2020 Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/

/*
* @test
* @bug 8238452
* @modules java.base/sun.security.x509
* java.base/sun.security.tools.keytool
* @summary This test generates V3 certificate with certain validity period
* and checks whether the validity has expired or not.
*/

import sun.security.tools.keytool.CertAndKeyGen;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Date;
import java.util.TimeZone;
import sun.security.x509.X509CertImpl;
import sun.security.x509.X500Name;


public class CertificateValidation {

public static void main(String[] args) throws Exception {

Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("GMT"));
cal.set(2050, 00, 01, 01, 00, 00);
Date lastDate = cal.getTime();
// Seconds till lastDate plus one hour
long validity = (lastDate.getTime() - System.currentTimeMillis())/1000L + 3600;
Date firstDate = new Date(lastDate.getTime() - validity * 1000L);
CertAndKeyGen ckg = new CertAndKeyGen("RSA", "SHA256withRSA");
ckg.generate(2048);
X509Certificate crt = ckg.getSelfCertificate(
new X500Name("CN=Me"), firstDate, validity);
byte[] encoded = crt.getEncoded();
X509CertImpl certImpl = new X509CertImpl(encoded);
certImpl.checkValidity();
}
}

0 comments on commit 9b12c80

Please sign in to comment.