RFR 8078495: End time checking for native TGT is wrong

Weijun Wang weijun.wang at oracle.com
Fri Apr 24 03:29:26 UTC 2015

Hi All

Please review a fix at


which is essentially

              EndTime.dwLowDateTime = msticket->EndTime.LowPart;
              EndTime.dwHighDateTime = msticket->EndTime.HighPart;
-            FileTimeToLocalFileTime(&EndTime, &LocalEndTime);
-            if (CompareFileTime(&Now, &LocalEndTime) < 0) {
+            if (CompareFileTime(&Now, &EndTime) < 0) {

MSDN explicitly specifies that GetSystemTimeAsFileTime() [1] returns a 
UTC time. It is not very clear about KERB_EXTERNAL_TICKET [2], but 
according to my observation and the fact that it is directly converted 
to a KerberosTime string in the BuildKerberosTime() function, I believe 
it's also UTC.

Anyway, the FILETIME structure is a little confusing, its spec [3] says 
it's an elapsed time from an MS epoch, so it should be timezone 
independent. But then there is FileTimeToLocalFileTime function which 
means it can be dependent.

I believe the bug was not spotted earlier because when Java sees an 
expired ticket, it always tries to reacquire one, and returns a valid 
ticket anyway. (Fortunately it has not tried to validate the new ticket 



More information about the security-dev mailing list