8238452: Keytool generates wrong expiration date if validity is set t…

…o 2050/01/01

Reviewed-by: pkoppula, weijun, coffeys

src/java.base/share/classes/sun/security/x509/CertificateValidity.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -51,7 +51,10 @@ public class CertificateValidity implements CertAttrSet<String> {
     public static final String NAME = "validity";
     public static final String NOT_BEFORE = "notBefore";
     public static final String NOT_AFTER = "notAfter";
-    private static final long YR_2050 = 2524636800000L;
+    /**
+     * YR_2050 date and time set to Jan01 00:00 2050 GMT
+     */
+    static final long YR_2050 = 2524608000000L;
 
     // Private data members
     private Date        notBefore;

src/java.base/share/classes/sun/security/x509/X509CRLEntryImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -77,7 +77,6 @@ public class X509CRLEntryImpl extends X509CRLEntry
     private X500Principal certIssuer;
 
     private static final boolean isExplicit = false;
-    private static final long YR_2050 = 2524636800000L;
 
     /**
      * Constructs a revoked certificate entry using the given
@@ -162,7 +161,7 @@ public void encode(DerOutputStream outStrm) throws CRLException {
                 // sequence { serialNumber, revocationDate, extensions }
                 serialNumber.encode(tmp);
 
-                if (revocationDate.getTime() < YR_2050) {
+                if (revocationDate.getTime() < CertificateValidity.YR_2050) {
                     tmp.putUTCTime(revocationDate);
                 } else {
                     tmp.putGeneralizedTime(revocationDate);

src/java.base/share/classes/sun/security/x509/X509CRLImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -99,7 +99,6 @@ public class X509CRLImpl extends X509CRL implements DerEncoder {
     private List<X509CRLEntry> revokedList = new LinkedList<>();
     private CRLExtensions    extensions = null;
     private static final boolean isExplicit = true;
-    private static final long YR_2050 = 2524636800000L;
 
     private boolean readOnly = false;
 
@@ -286,13 +285,13 @@ public void encodeInfo(OutputStream out) throws CRLException {
                 throw new CRLException("Null Issuer DN not allowed in v1 CRL");
             issuer.encode(tmp);
 
-            if (thisUpdate.getTime() < YR_2050)
+            if (thisUpdate.getTime() < CertificateValidity.YR_2050)
                 tmp.putUTCTime(thisUpdate);
             else
                 tmp.putGeneralizedTime(thisUpdate);
 
             if (nextUpdate != null) {
-                if (nextUpdate.getTime() < YR_2050)
+                if (nextUpdate.getTime() < CertificateValidity.YR_2050)
                     tmp.putUTCTime(nextUpdate);
                 else
                     tmp.putGeneralizedTime(nextUpdate);

test/jdk/sun/security/x509/X509CertImpl/CertificateValidation.java

@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2020 Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8238452
+ * @modules java.base/sun.security.x509
+ *          java.base/sun.security.tools.keytool
+ * @summary This test generates V3 certificate with certain validity period
+ * and checks whether the validity has expired or not.
+ */
+
+import sun.security.tools.keytool.CertAndKeyGen;
+import java.security.cert.X509Certificate;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.TimeZone;
+import sun.security.x509.X509CertImpl;
+import sun.security.x509.X500Name;
+
+
+public class CertificateValidation {
+
+    public static void main(String[] args) throws Exception {
+
+        Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("GMT"));
+        cal.set(2050, 00, 01, 01, 00, 00);
+        Date lastDate = cal.getTime();
+        // Seconds till lastDate plus one hour
+        long validity = (lastDate.getTime() - System.currentTimeMillis())/1000L + 3600;
+        Date firstDate = new Date(lastDate.getTime() - validity * 1000L);
+        CertAndKeyGen ckg = new CertAndKeyGen("RSA", "SHA256withRSA");
+        ckg.generate(2048);
+        X509Certificate crt = ckg.getSelfCertificate(
+                new X500Name("CN=Me"), firstDate, validity);
+        byte[] encoded = crt.getEncoded();
+        X509CertImpl certImpl = new X509CertImpl(encoded);
+        certImpl.checkValidity();
+    }
+}