8191358: Restore TSA certificate expiration check
authormullan
Fri, 08 Dec 2017 09:37:28 -0500
changeset 49776 40a012dc4cee
parent 49775 8fa5bb0cb937
child 49777 4a8508247ac3
8191358: Restore TSA certificate expiration check Reviewed-by: coffeys, rhalade
src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
--- a/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Wed Dec 06 14:35:58 2017 -0800
+++ b/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Fri Dec 08 09:37:28 2017 -0500
@@ -31,6 +31,7 @@
 import java.util.*;
 
 import sun.security.provider.certpath.PKIX.ValidatorParams;
+import sun.security.validator.Validator;
 import sun.security.x509.X509CertImpl;
 import sun.security.util.Debug;
 
@@ -189,12 +190,21 @@
                                              params.policyQualifiersRejected(),
                                              rootNode);
         certPathCheckers.add(pc);
-        // default value for date is current time
-        BasicChecker bc;
-        bc = new BasicChecker(anchor,
-                (params.timestamp() == null ? params.date() :
-                        params.timestamp().getTimestamp()),
-                params.sigProvider(), false);
+
+        // the time that the certificate validity period should be
+        // checked against
+        Date timeToCheck = null;
+        // use timestamp if checking signed code that is timestamped, otherwise
+        // use date parameter from PKIXParameters
+        if ((params.variant() == Validator.VAR_CODE_SIGNING ||
+             params.variant() == Validator.VAR_PLUGIN_CODE_SIGNING) &&
+             params.timestamp() != null) {
+            timeToCheck = params.timestamp().getTimestamp();
+        } else {
+            timeToCheck = params.date();
+        }
+        BasicChecker bc = new BasicChecker(anchor, timeToCheck,
+                                           params.sigProvider(), false);
         certPathCheckers.add(bc);
 
         boolean revCheckerAdded = false;