From the description, it seems that thisUpdate and nextUpdate should be checked agaisnt system local time, but the code checks it againts producetAt value from OCSP response, so no matter the system time, response is always valid:
|
public static void validateCertificateStatusUpdateTime(SingleResp certStatusResponse, Date producedAt) throws UserCertificateOCSPCheckFailedException { |
|
// From RFC 2560, https://www.ietf.org/rfc/rfc2560.txt: |
|
// 4.2.2. Notes on OCSP Responses |
|
// 4.2.2.1. Time |
|
// Responses whose nextUpdate value is earlier than |
|
// the local system time value SHOULD be considered unreliable. |
|
// Responses whose thisUpdate time is later than the local system time |
|
// SHOULD be considered unreliable. |
|
// If nextUpdate is not set, the responder is indicating that newer |
|
// revocation information is available all the time. |
|
final Date notAllowedBefore = new Date(producedAt.getTime() - ALLOWED_TIME_SKEW); |
|
final Date notAllowedAfter = new Date(producedAt.getTime() + ALLOWED_TIME_SKEW); |
|
final Date thisUpdate = certStatusResponse.getThisUpdate(); |
|
final Date nextUpdate = certStatusResponse.getNextUpdate() != null ? certStatusResponse.getNextUpdate() : thisUpdate; |
|
if (notAllowedAfter.before(thisUpdate) || |
|
notAllowedBefore.after(nextUpdate)) { |
|
throw new UserCertificateOCSPCheckFailedException("Certificate status update time check failed: " + |
|
"notAllowedBefore: " + toUtcString(notAllowedBefore) + |
|
", notAllowedAfter: " + toUtcString(notAllowedAfter) + |
|
", thisUpdate: " + toUtcString(thisUpdate) + |
|
", nextUpdate: " + toUtcString(certStatusResponse.getNextUpdate())); |
|
} |
|
} |
From the description, it seems that
thisUpdateandnextUpdateshould be checked agaisnt system local time, but the code checks it againtsproducetAtvalue from OCSP response, so no matter the system time, response is always valid:web-eid-authtoken-validation-java/src/main/java/eu/webeid/security/validator/ocsp/OcspResponseValidator.java
Lines 80 to 102 in c919aa5