changeset 12965:707ea8cc6462

8191358: Restore TSA certificate expiration check Reviewed-by: coffeys, rhalade
author mullan
date Fri, 08 Dec 2017 09:37:28 -0500
parents 2e4fd537cf2a
children cac020298633
files src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
diffstat 1 files changed, 16 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Fri Jan 05 20:11:29 2018 -0800
+++ b/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Fri Dec 08 09:37:28 2017 -0500
@@ -31,6 +31,7 @@
 import java.util.*;
 
 import sun.security.provider.certpath.PKIX.ValidatorParams;
+import sun.security.validator.Validator;
 import sun.security.x509.X509CertImpl;
 import sun.security.util.Debug;
 
@@ -189,12 +190,21 @@
                                              params.policyQualifiersRejected(),
                                              rootNode);
         certPathCheckers.add(pc);
-        // default value for date is current time
-        BasicChecker bc;
-        bc = new BasicChecker(anchor,
-                (params.timestamp() == null ? params.date() :
-                        params.timestamp().getTimestamp()),
-                params.sigProvider(), false);
+
+        // the time that the certificate validity period should be
+        // checked against
+        Date timeToCheck = null;
+        // use timestamp if checking signed code that is timestamped, otherwise
+        // use date parameter from PKIXParameters
+        if ((params.variant() == Validator.VAR_CODE_SIGNING ||
+             params.variant() == Validator.VAR_PLUGIN_CODE_SIGNING) &&
+             params.timestamp() != null) {
+            timeToCheck = params.timestamp().getTimestamp();
+        } else {
+            timeToCheck = params.date();
+        }
+        BasicChecker bc = new BasicChecker(anchor, timeToCheck,
+                                           params.sigProvider(), false);
         certPathCheckers.add(bc);
 
         boolean revCheckerAdded = false;