Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8020940

Valid OCSP responses are rejected for backdated enquiries

    Details

    • Subcomponent:
    • Introduced In Version:
    • Resolved In Build:
      b36
    • Verification:
      Verified

      Backports

        Description

        PKIX certpath validation is normally performed using the current time.
        It may also be requested to be performed at a specific time.

        OCSP is a network protocol for checking whether a certificate has been revoked.
        OCSP responses are returned with a specific validity interval.
        The OCSP client examines that validity interval to ensure that the response is still current.
        This check is performed incorrectly for backdated OCSP requests.

        Specifically, the current time should be used when validating the
        OCSP response's thisUpdate and nextUpdate, rather than the requested time.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  vinnie Vincent Ryan
                  Reporter:
                  vinnie Vincent Ryan
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: