# HG changeset patch
# User vinnie
# Date 1436194388 -3600
# Node ID 800a35ef53653f34a706a3f11d9f6000c7d05964
# Parent  6024f54e957dfb9131a0201648f50df3ba82aa99
8075374: Responding to OCSP responses
Reviewed-by: mullan

diff -r 6024f54e957d -r 800a35ef5365 src/share/classes/java/security/cert/X509CRLSelector.java
--- a/src/share/classes/java/security/cert/X509CRLSelector.java	Tue Apr 07 14:33:57 2015 +0300
+++ b/src/share/classes/java/security/cert/X509CRLSelector.java	Mon Jul 06 15:53:08 2015 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -679,10 +679,14 @@
                 nowPlusSkew = new Date(dateAndTime.getTime() + skew);
                 nowMinusSkew = new Date(dateAndTime.getTime() - skew);
             }
+
+            // Check that the test date is within the validity interval:
+            //   [ thisUpdate - MAX_CLOCK_SKEW,
+            //     nextUpdate + MAX_CLOCK_SKEW ]
             if (nowMinusSkew.after(nextUpdate)
                 || nowPlusSkew.before(crlThisUpdate)) {
                 if (debug != null) {
-                    debug.println("X509CRLSelector.match: update out of range");
+                    debug.println("X509CRLSelector.match: update out-of-range");
                 }
                 return false;
             }
diff -r 6024f54e957d -r 800a35ef5365 src/share/classes/sun/security/provider/certpath/OCSPResponse.java
--- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Tue Apr 07 14:33:57 2015 +0300
+++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Mon Jul 06 15:53:08 2015 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -154,8 +154,8 @@
     private static final int DEFAULT_MAX_CLOCK_SKEW = 900000;
 
     /**
-     * Integer value indicating the maximum allowable clock skew, in seconds,
-     * to be used for the OCSP check.
+     * Integer value indicating the maximum allowable clock skew,
+     * in milliseconds, to be used for the OCSP check.
      */
     private static final int MAX_CLOCK_SKEW = initializeClockSkew();
 
@@ -709,12 +709,18 @@
                 if (nextUpdate != null) {
                     until = " until " + nextUpdate;
                 }
-                DEBUG.println("Response's validity interval is from " +
-                    thisUpdate + until);
+                DEBUG.println("OCSP response validity interval is from " +
+                              thisUpdate + until);
             }
             // Check that the test date is within the validity interval
             if ((thisUpdate != null && nowPlusSkew.before(thisUpdate)) ||
                 (nextUpdate != null && nowMinusSkew.after(nextUpdate))) {
+            // Check that the test date is within the validity interval:
+            //   [ thisUpdate - MAX_CLOCK_SKEW,
+            //     MAX(thisUpdate, nextUpdate) + MAX_CLOCK_SKEW ]
+            if (nowPlusSkew.before(thisUpdate) ||
+                nowMinusSkew.after(
+                    nextUpdate != null ? nextUpdate : thisUpdate))
 
                 if (DEBUG != null) {
                     DEBUG.println("Response is unreliable: its validity " +