Mercurial > hg > release > icedtea7-forest-2.5 > jdk

changeset 8232:800a35ef5365

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
8075374: Responding to OCSP responses Reviewed-by: mullan
author vinnie
date Mon, 06 Jul 2015 15:53:08 +0100
parents 6024f54e957d
children d04853b8a545
files src/share/classes/java/security/cert/X509CRLSelector.java src/share/classes/sun/security/provider/certpath/OCSPResponse.java
diffstat 2 files changed, 17 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/java/security/cert/X509CRLSelector.java	Tue Apr 07 14:33:57 2015 +0300
+++ b/src/share/classes/java/security/cert/X509CRLSelector.java	Mon Jul 06 15:53:08 2015 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -679,10 +679,14 @@
                 nowPlusSkew = new Date(dateAndTime.getTime() + skew);
                 nowMinusSkew = new Date(dateAndTime.getTime() - skew);
             }
+
+            // Check that the test date is within the validity interval:
+            //   [ thisUpdate - MAX_CLOCK_SKEW,
+            //     nextUpdate + MAX_CLOCK_SKEW ]
             if (nowMinusSkew.after(nextUpdate)
                 || nowPlusSkew.before(crlThisUpdate)) {
                 if (debug != null) {
-                    debug.println("X509CRLSelector.match: update out of range");
+                    debug.println("X509CRLSelector.match: update out-of-range");
                 }
                 return false;
             }
--- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Tue Apr 07 14:33:57 2015 +0300
+++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java	Mon Jul 06 15:53:08 2015 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -154,8 +154,8 @@
     private static final int DEFAULT_MAX_CLOCK_SKEW = 900000;
 
     /**
-     * Integer value indicating the maximum allowable clock skew, in seconds,
-     * to be used for the OCSP check.
+     * Integer value indicating the maximum allowable clock skew,
+     * in milliseconds, to be used for the OCSP check.
      */
     private static final int MAX_CLOCK_SKEW = initializeClockSkew();
 
@@ -709,12 +709,18 @@
                 if (nextUpdate != null) {
                     until = " until " + nextUpdate;
                 }
-                DEBUG.println("Response's validity interval is from " +
-                    thisUpdate + until);
+                DEBUG.println("OCSP response validity interval is from " +
+                              thisUpdate + until);
             }
             // Check that the test date is within the validity interval
             if ((thisUpdate != null && nowPlusSkew.before(thisUpdate)) ||
                 (nextUpdate != null && nowMinusSkew.after(nextUpdate))) {
+            // Check that the test date is within the validity interval:
+            //   [ thisUpdate - MAX_CLOCK_SKEW,
+            //     MAX(thisUpdate, nextUpdate) + MAX_CLOCK_SKEW ]
+            if (nowPlusSkew.before(thisUpdate) ||
+                nowMinusSkew.after(
+                    nextUpdate != null ? nextUpdate : thisUpdate))
 
                 if (DEBUG != null) {
                     DEBUG.println("Response is unreliable: its validity " +