6744888: OCSP validation code should permit some clock skew when checking validity of OCSP responses

Allow for up to 10 minutes of clock skew when validating OCSP responses Reviewed-by: vinnie
2008-11-05 15:55:00 -05:00 · 2008-11-05 15:55:00 -05:00 · ec4b93457e
commit ec4b93457e
parent fddda74b98
1 changed files with 9 additions and 3 deletions
--- a/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
+++ b/jdk/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
@ -151,6 +151,10 @@ class OCSPResponse {

    private SingleResponse singleResponse;

+    // Maximum clock skew in milliseconds (10 minutes) allowed when checking
+    // validity of OCSP responses
+    private static final long MAX_CLOCK_SKEW = 600000;
+
    // an array of all of the CRLReasons (used in SingleResponse)
    private static CRLReason[] values = CRLReason.values();

@ -583,7 +587,9 @@ class OCSPResponse {
                }
            }

-            Date now = new Date();
+            long now = System.currentTimeMillis();
+            Date nowPlusSkew = new Date(now + MAX_CLOCK_SKEW);
+            Date nowMinusSkew = new Date(now - MAX_CLOCK_SKEW);
            if (DEBUG != null) {
                String until = "";
                if (nextUpdate != null) {
@ -593,8 +599,8 @@ class OCSPResponse {
                    thisUpdate + until);
            }
            // Check that the test date is within the validity interval
-            if ((thisUpdate != null && now.before(thisUpdate)) ||
-                (nextUpdate != null && now.after(nextUpdate))) {
+            if ((thisUpdate != null && nowPlusSkew.before(thisUpdate)) ||
+                (nextUpdate != null && nowMinusSkew.after(nextUpdate))) {

                if (DEBUG != null) {
                    DEBUG.println("Response is unreliable: its validity " +