# HG changeset patch # User vinnie # Date 1429000052 25200 # Node ID 5a49012971bb18da9c9bdf0c7bd40ce5b4eacb3f # Parent 7fc613cf3be2088ae950fff6c2b00af52848038e 8075374: Responding to OCSP responses Reviewed-by: mullan diff -r 7fc613cf3be2 -r 5a49012971bb src/share/classes/java/security/cert/X509CRLSelector.java --- a/src/share/classes/java/security/cert/X509CRLSelector.java Wed Apr 22 23:27:30 2015 +0800 +++ b/src/share/classes/java/security/cert/X509CRLSelector.java Tue Apr 14 01:27:32 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -679,10 +679,14 @@ nowPlusSkew = new Date(dateAndTime.getTime() + skew); nowMinusSkew = new Date(dateAndTime.getTime() - skew); } + + // Check that the test date is within the validity interval: + // [ thisUpdate - MAX_CLOCK_SKEW, + // nextUpdate + MAX_CLOCK_SKEW ] if (nowMinusSkew.after(nextUpdate) || nowPlusSkew.before(crlThisUpdate)) { if (debug != null) { - debug.println("X509CRLSelector.match: update out of range"); + debug.println("X509CRLSelector.match: update out-of-range"); } return false; } diff -r 7fc613cf3be2 -r 5a49012971bb src/share/classes/sun/security/provider/certpath/OCSPResponse.java --- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Wed Apr 22 23:27:30 2015 +0800 +++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Tue Apr 14 01:27:32 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -151,8 +151,8 @@ private static final int DEFAULT_MAX_CLOCK_SKEW = 900000; /** - * Integer value indicating the maximum allowable clock skew, in seconds, - * to be used for the OCSP check. + * Integer value indicating the maximum allowable clock skew, + * in milliseconds, to be used for the OCSP check. */ private static final int MAX_CLOCK_SKEW = initializeClockSkew(); @@ -586,13 +586,14 @@ "Unable to verify OCSP Response's signature"); } - // Check freshness of OCSPResponse if (nonce != null) { if (responseNonce != null && !Arrays.equals(nonce, responseNonce)) { throw new CertPathValidatorException("Nonces don't match"); } } + // Check freshness of OCSPResponse + long now = (date == null) ? System.currentTimeMillis() : date.getTime(); Date nowPlusSkew = new Date(now + MAX_CLOCK_SKEW); Date nowMinusSkew = new Date(now - MAX_CLOCK_SKEW); @@ -602,13 +603,18 @@ if (sr.nextUpdate != null) { until = " until " + sr.nextUpdate; } - debug.println("Response's validity interval is from " + + debug.println("OCSP response validity interval is from " + sr.thisUpdate + until); + debug.println("Checking validity of OCSP response on: " + + new Date(now)); } - // Check that the test date is within the validity interval - if ((sr.thisUpdate != null && nowPlusSkew.before(sr.thisUpdate)) || - (sr.nextUpdate != null && nowMinusSkew.after(sr.nextUpdate))) + // Check that the test date is within the validity interval: + // [ thisUpdate - MAX_CLOCK_SKEW, + // MAX(thisUpdate, nextUpdate) + MAX_CLOCK_SKEW ] + if (nowPlusSkew.before(sr.thisUpdate) || + nowMinusSkew.after( + sr.nextUpdate != null ? sr.nextUpdate : sr.thisUpdate)) { throw new CertPathValidatorException( "Response is unreliable: its validity " +