From 85e2880ab7b5e3c23beb5c691ab461cdf6693eba Mon Sep 17 00:00:00 2001 From: mullan Date: Wed, 5 Nov 2008 15:55:00 -0500 Subject: [PATCH] 6744888: OCSP validation code should permit some clock skew when checking validity of OCSP responses Summary: Allow for up to 10 minutes of clock skew when validating OCSP responses Reviewed-by: vinnie --- .../sun/security/provider/certpath/OCSPResponse.java | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java index 24d88374c..e9afb29f5 100644 --- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java +++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java @@ -151,6 +151,10 @@ class OCSPResponse { private SingleResponse singleResponse; + // Maximum clock skew in milliseconds (10 minutes) allowed when checking + // validity of OCSP responses + private static final long MAX_CLOCK_SKEW = 600000; + // an array of all of the CRLReasons (used in SingleResponse) private static CRLReason[] values = CRLReason.values(); @@ -583,7 +587,9 @@ class OCSPResponse { } } - Date now = new Date(); + long now = System.currentTimeMillis(); + Date nowPlusSkew = new Date(now + MAX_CLOCK_SKEW); + Date nowMinusSkew = new Date(now - MAX_CLOCK_SKEW); if (DEBUG != null) { String until = ""; if (nextUpdate != null) { @@ -593,8 +599,8 @@ class OCSPResponse { thisUpdate + until); } // Check that the test date is within the validity interval - if ((thisUpdate != null && now.before(thisUpdate)) || - (nextUpdate != null && now.after(nextUpdate))) { + if ((thisUpdate != null && nowPlusSkew.before(thisUpdate)) || + (nextUpdate != null && nowMinusSkew.after(nextUpdate))) { if (DEBUG != null) { DEBUG.println("Response is unreliable: its validity " + -- GitLab