Fixed bugzilla bug #241423.

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@279 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

1 files changed, 36 insertions, 4 deletions

diff --git a/pki/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/pki/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
index f529f1fc7..3c8be4c39 100644
--- a/pki/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
+++ b/pki/base/ca/src/com/netscape/ca/CRLIssuingPoint.java
@@ -127,6 +127,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
     private Hashtable mUnrevokedCerts = new Hashtable();
     private Hashtable mExpiredCerts = new Hashtable();
     private boolean mIncludeExpiredCerts = false;
+    private boolean mIncludeExpiredCertsOneExtraTime = false;
     private boolean mCACertsOnly = false;
 
     private boolean mProfileCertsOnly = false;
@@ -235,6 +236,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
      * Last CRL update date
      */
     private Date mLastUpdate;
+    private Date mLastFullUpdate;
 
     /**
      * Next scheduled CRL update date
@@ -584,6 +586,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
         mAllowExtensions = config.getBoolean(Constants.PR_EXTENSIONS, false);
 
         mIncludeExpiredCerts = config.getBoolean(Constants.PR_INCLUDE_EXPIREDCERTS, false);
+        mIncludeExpiredCertsOneExtraTime = config.getBoolean(Constants.PR_INCLUDE_EXPIREDCERTS_ONEEXTRATIME, false);
         mCACertsOnly = config.getBoolean(Constants.PR_CA_CERTS_ONLY, false);
         mProfileCertsOnly = config.getBoolean(Constants.PR_PROFILE_CERTS_ONLY, false);
         if (mProfileCertsOnly) {
@@ -683,6 +686,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
             if (mLastUpdate == null) {
                 mLastUpdate = new Date(0L);
             }
+            mLastFullUpdate = null;
 
             mNextUpdate = crlRecord.getNextUpdate();
             if (isDeltaCRLEnabled()) {
@@ -718,6 +722,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
                         }
                     }
                     if (x509crl != null) {
+                        mLastFullUpdate = x509crl.getThisUpdate();
                         if (mEnableCRLCache) {
                             if (mCRLCacheIsCleared && mUpdatingCRL == CRL_UPDATE_DONE) {
                                 mRevokedCerts = crlRecord.getRevokedCerts();
@@ -984,6 +989,14 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
                     }
                 }
 
+                if (name.equals(Constants.PR_INCLUDE_EXPIREDCERTS_ONEEXTRATIME)) {
+                    if (value.equals(Constants.FALSE) && mIncludeExpiredCertsOneExtraTime) {
+                        mIncludeExpiredCertsOneExtraTime = false;
+                    } else if (value.equals(Constants.TRUE) && (!mIncludeExpiredCertsOneExtraTime)) {
+                        mIncludeExpiredCertsOneExtraTime = true;
+                    }
+                }
+
                 if (name.equals(Constants.PR_CA_CERTS_ONLY)) {
                     if (value.equals(Constants.FALSE) && mCACertsOnly) {
                         clearCRLCache();
@@ -2086,7 +2099,20 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
                 Hashtable deltaCRLCerts = (Hashtable) clonedRevokedCerts.clone();
 
                 deltaCRLCerts.putAll(clonedUnrevokedCerts);
-                deltaCRLCerts.putAll(clonedExpiredCerts);
+                if (mIncludeExpiredCertsOneExtraTime) {
+                    if (!clonedExpiredCerts.isEmpty()) {
+                        for (Enumeration e = clonedExpiredCerts.keys(); e.hasMoreElements();) {
+                            BigInteger serialNumber = (BigInteger) e.nextElement();
+                            if ((mLastFullUpdate != null &&
+                                 mLastFullUpdate.after(((RevokedCertificate)(mExpiredCerts.get(serialNumber))).getRevocationDate())) ||
+                                 mLastFullUpdate == null) {
+                                deltaCRLCerts.put(serialNumber, clonedExpiredCerts.get(serialNumber));
+                            }
+                        }
+                    }
+                } else {
+                    deltaCRLCerts.putAll(clonedExpiredCerts);
+                }
 
                 mLastCRLNumber = mCRLNumber;
 
@@ -2218,13 +2244,19 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable {
                         for (Enumeration e = clonedExpiredCerts.keys(); e.hasMoreElements();) {
                             BigInteger serialNumber = (BigInteger) e.nextElement();
 
-                            if (mCRLCerts.containsKey(serialNumber)) {
-                                mCRLCerts.remove(serialNumber);
+                            if ((!mIncludeExpiredCertsOneExtraTime) ||
+                                 (mLastFullUpdate != null &&
+                                  mLastFullUpdate.after(((RevokedCertificate)(mExpiredCerts.get(serialNumber))).getRevocationDate())) ||
+                                 mLastFullUpdate == null) {
+                                if (mCRLCerts.containsKey(serialNumber)) {
+                                    mCRLCerts.remove(serialNumber);
+                                }
+                                mExpiredCerts.remove(serialNumber);
                             }
-                            mExpiredCerts.remove(serialNumber);
                         }
                     }
                 }
+                mLastFullUpdate = mLastUpdate;
             }
             mSplits[5] += System.currentTimeMillis();
         }