--- a/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java Wed Dec 06 14:35:58 2017 -0800
+++ b/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java Fri Dec 08 09:37:28 2017 -0500
@@ -31,6 +31,7 @@
import java.util.*;
import sun.security.provider.certpath.PKIX.ValidatorParams;
+import sun.security.validator.Validator;
import sun.security.x509.X509CertImpl;
import sun.security.util.Debug;
@@ -189,12 +190,21 @@
params.policyQualifiersRejected(),
rootNode);
certPathCheckers.add(pc);
- // default value for date is current time
- BasicChecker bc;
- bc = new BasicChecker(anchor,
- (params.timestamp() == null ? params.date() :
- params.timestamp().getTimestamp()),
- params.sigProvider(), false);
+
+ // the time that the certificate validity period should be
+ // checked against
+ Date timeToCheck = null;
+ // use timestamp if checking signed code that is timestamped, otherwise
+ // use date parameter from PKIXParameters
+ if ((params.variant() == Validator.VAR_CODE_SIGNING ||
+ params.variant() == Validator.VAR_PLUGIN_CODE_SIGNING) &&
+ params.timestamp() != null) {
+ timeToCheck = params.timestamp().getTimestamp();
+ } else {
+ timeToCheck = params.date();
+ }
+ BasicChecker bc = new BasicChecker(anchor, timeToCheck,
+ params.sigProvider(), false);
certPathCheckers.add(bc);
boolean revCheckerAdded = false;