PKIX certpath validation is normally performed using the current time.
It may also be requested to be performed at a specific time.
OCSP is a network protocol for checking whether a certificate has been revoked.
OCSP responses are returned with a specific validity interval.
The OCSP client examines that validity interval to ensure that the response is still current.
This check is performed incorrectly for backdated OCSP requests.
Specifically, the current time should be used when validating the
OCSP response's thisUpdate and nextUpdate, rather than the requested time.