diff --git a/src/share/classes/java/security/cert/X509CRLSelector.java b/src/share/classes/java/security/cert/X509CRLSelector.java index 0580ee36bf280ffa5b936900b1c6d44e3a5847f5..face5ff525d98d6f282adc57c808f94afef19c41 100644 --- a/src/share/classes/java/security/cert/X509CRLSelector.java +++ b/src/share/classes/java/security/cert/X509CRLSelector.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -679,10 +679,14 @@ public class X509CRLSelector implements CRLSelector { nowPlusSkew = new Date(dateAndTime.getTime() + skew); nowMinusSkew = new Date(dateAndTime.getTime() - skew); } + + // Check that the test date is within the validity interval: + // [ thisUpdate - MAX_CLOCK_SKEW, + // nextUpdate + MAX_CLOCK_SKEW ] if (nowMinusSkew.after(nextUpdate) || nowPlusSkew.before(crlThisUpdate)) { if (debug != null) { - debug.println("X509CRLSelector.match: update out of range"); + debug.println("X509CRLSelector.match: update out-of-range"); } return false; } diff --git a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java index 8075d73fd818c0a1195b06b913bc2bff32f9f11e..47755e7fb67399a17a798b2684c82c16f4f88c6d 100644 --- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java +++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -151,8 +151,8 @@ public final class OCSPResponse { private static final int DEFAULT_MAX_CLOCK_SKEW = 900000; /** - * Integer value indicating the maximum allowable clock skew, in seconds, - * to be used for the OCSP check. + * Integer value indicating the maximum allowable clock skew, + * in milliseconds, to be used for the OCSP check. */ private static final int MAX_CLOCK_SKEW = initializeClockSkew(); @@ -586,13 +586,14 @@ public final class OCSPResponse { "Unable to verify OCSP Response's signature"); } - // Check freshness of OCSPResponse if (nonce != null) { if (responseNonce != null && !Arrays.equals(nonce, responseNonce)) { throw new CertPathValidatorException("Nonces don't match"); } } + // Check freshness of OCSPResponse + long now = (date == null) ? System.currentTimeMillis() : date.getTime(); Date nowPlusSkew = new Date(now + MAX_CLOCK_SKEW); Date nowMinusSkew = new Date(now - MAX_CLOCK_SKEW); @@ -602,13 +603,18 @@ public final class OCSPResponse { if (sr.nextUpdate != null) { until = " until " + sr.nextUpdate; } - debug.println("Response's validity interval is from " + + debug.println("OCSP response validity interval is from " + sr.thisUpdate + until); + debug.println("Checking validity of OCSP response on: " + + new Date(now)); } - // Check that the test date is within the validity interval - if ((sr.thisUpdate != null && nowPlusSkew.before(sr.thisUpdate)) || - (sr.nextUpdate != null && nowMinusSkew.after(sr.nextUpdate))) + // Check that the test date is within the validity interval: + // [ thisUpdate - MAX_CLOCK_SKEW, + // MAX(thisUpdate, nextUpdate) + MAX_CLOCK_SKEW ] + if (nowPlusSkew.before(sr.thisUpdate) || + nowMinusSkew.after( + sr.nextUpdate != null ? sr.nextUpdate : sr.thisUpdate)) { throw new CertPathValidatorException( "Response is unreliable: its validity " +