Mercurial > hg > openjdk > aarch64-port > jdk
changeset 11000:5a49012971bb
8075374: Responding to OCSP responses
Reviewed-by: mullan
| author | vinnie |
|---|---|
| date | Tue, 14 Apr 2015 01:27:32 -0700 |
| parents | 7fc613cf3be2 |
| children | 3ed614d4eee7 |
| files | src/share/classes/java/security/cert/X509CRLSelector.java src/share/classes/sun/security/provider/certpath/OCSPResponse.java |
| diffstat | 2 files changed, 20 insertions(+), 10 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/java/security/cert/X509CRLSelector.java Wed Apr 22 23:27:30 2015 +0800 +++ b/src/share/classes/java/security/cert/X509CRLSelector.java Tue Apr 14 01:27:32 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -679,10 +679,14 @@ nowPlusSkew = new Date(dateAndTime.getTime() + skew); nowMinusSkew = new Date(dateAndTime.getTime() - skew); } + + // Check that the test date is within the validity interval: + // [ thisUpdate - MAX_CLOCK_SKEW, + // nextUpdate + MAX_CLOCK_SKEW ] if (nowMinusSkew.after(nextUpdate) || nowPlusSkew.before(crlThisUpdate)) { if (debug != null) { - debug.println("X509CRLSelector.match: update out of range"); + debug.println("X509CRLSelector.match: update out-of-range"); } return false; }
--- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Wed Apr 22 23:27:30 2015 +0800 +++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Tue Apr 14 01:27:32 2015 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -151,8 +151,8 @@ private static final int DEFAULT_MAX_CLOCK_SKEW = 900000; /** - * Integer value indicating the maximum allowable clock skew, in seconds, - * to be used for the OCSP check. + * Integer value indicating the maximum allowable clock skew, + * in milliseconds, to be used for the OCSP check. */ private static final int MAX_CLOCK_SKEW = initializeClockSkew(); @@ -586,13 +586,14 @@ "Unable to verify OCSP Response's signature"); } - // Check freshness of OCSPResponse if (nonce != null) { if (responseNonce != null && !Arrays.equals(nonce, responseNonce)) { throw new CertPathValidatorException("Nonces don't match"); } } + // Check freshness of OCSPResponse + long now = (date == null) ? System.currentTimeMillis() : date.getTime(); Date nowPlusSkew = new Date(now + MAX_CLOCK_SKEW); Date nowMinusSkew = new Date(now - MAX_CLOCK_SKEW); @@ -602,13 +603,18 @@ if (sr.nextUpdate != null) { until = " until " + sr.nextUpdate; } - debug.println("Response's validity interval is from " + + debug.println("OCSP response validity interval is from " + sr.thisUpdate + until); + debug.println("Checking validity of OCSP response on: " + + new Date(now)); } - // Check that the test date is within the validity interval - if ((sr.thisUpdate != null && nowPlusSkew.before(sr.thisUpdate)) || - (sr.nextUpdate != null && nowMinusSkew.after(sr.nextUpdate))) + // Check that the test date is within the validity interval: + // [ thisUpdate - MAX_CLOCK_SKEW, + // MAX(thisUpdate, nextUpdate) + MAX_CLOCK_SKEW ] + if (nowPlusSkew.before(sr.thisUpdate) || + nowMinusSkew.after( + sr.nextUpdate != null ? sr.nextUpdate : sr.thisUpdate)) { throw new CertPathValidatorException( "Response is unreliable: its validity " +