Mercurial > hg > release > icedtea7-forest-2.5 > jdk
changeset 8232:800a35ef5365
8075374: Responding to OCSP responses
Reviewed-by: mullan
author | vinnie |
---|---|
date | Mon, 06 Jul 2015 15:53:08 +0100 |
parents | 6024f54e957d |
children | d04853b8a545 |
files | src/share/classes/java/security/cert/X509CRLSelector.java src/share/classes/sun/security/provider/certpath/OCSPResponse.java |
diffstat | 2 files changed, 17 insertions(+), 7 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/java/security/cert/X509CRLSelector.java Tue Apr 07 14:33:57 2015 +0300 +++ b/src/share/classes/java/security/cert/X509CRLSelector.java Mon Jul 06 15:53:08 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2009, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -679,10 +679,14 @@ nowPlusSkew = new Date(dateAndTime.getTime() + skew); nowMinusSkew = new Date(dateAndTime.getTime() - skew); } + + // Check that the test date is within the validity interval: + // [ thisUpdate - MAX_CLOCK_SKEW, + // nextUpdate + MAX_CLOCK_SKEW ] if (nowMinusSkew.after(nextUpdate) || nowPlusSkew.before(crlThisUpdate)) { if (debug != null) { - debug.println("X509CRLSelector.match: update out of range"); + debug.println("X509CRLSelector.match: update out-of-range"); } return false; }
--- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Tue Apr 07 14:33:57 2015 +0300 +++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java Mon Jul 06 15:53:08 2015 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -154,8 +154,8 @@ private static final int DEFAULT_MAX_CLOCK_SKEW = 900000; /** - * Integer value indicating the maximum allowable clock skew, in seconds, - * to be used for the OCSP check. + * Integer value indicating the maximum allowable clock skew, + * in milliseconds, to be used for the OCSP check. */ private static final int MAX_CLOCK_SKEW = initializeClockSkew(); @@ -709,12 +709,18 @@ if (nextUpdate != null) { until = " until " + nextUpdate; } - DEBUG.println("Response's validity interval is from " + - thisUpdate + until); + DEBUG.println("OCSP response validity interval is from " + + thisUpdate + until); } // Check that the test date is within the validity interval if ((thisUpdate != null && nowPlusSkew.before(thisUpdate)) || (nextUpdate != null && nowMinusSkew.after(nextUpdate))) { + // Check that the test date is within the validity interval: + // [ thisUpdate - MAX_CLOCK_SKEW, + // MAX(thisUpdate, nextUpdate) + MAX_CLOCK_SKEW ] + if (nowPlusSkew.before(thisUpdate) || + nowMinusSkew.after( + nextUpdate != null ? nextUpdate : thisUpdate)) if (DEBUG != null) { DEBUG.println("Response is unreliable: its validity " +