JDK-8020940 : Valid OCSP responses are rejected for backdated enquiries
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7u40
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2013-07-19
  • Updated: 2015-02-02
  • Resolved: 2013-07-22
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
7u40 b36Fixed
Related Reports
Relates :  
Relates :  
PKIX certpath validation is normally performed using the current time. 
It may also be requested to be performed at a specific time. 

OCSP is a network protocol for checking whether a certificate has been revoked.
OCSP responses are returned with a specific validity interval.
The OCSP client examines that validity interval to ensure that the response is still current.
This check is performed incorrectly for backdated OCSP requests.

Specifically, the current time should be used when validating the 
OCSP response's thisUpdate and nextUpdate, rather than the requested time. 

Verified on 7u40 b36 by SQE tests that are listed in the following bugs: INTJDK-7605757: Certificate for CertPath/CertPathValidatorTest/OCSP_secom_ssl_valid test case expired INTJDK-7605758: DigiCert CertPath/CertPathValidatorTest/OCSP tests fail because of certificate expiration INTJDK-7605761: CertPath/CertPathValidatorTest/OCSP_t-telesec_root-class2_revoked test fails because of certificate expiration INTJDK-7605759: CertPath/CertPathValidatorTest/OCSP_globalsign.com fails because certificate expired Found new JDK-8023352

SQE is ok to take the fix in 7u40.

I have looked at the bug and fix. It is ok for 7u40.

Actually the issue does occur in JDK 8 but is currently being corrected as part of the fix for JDK-8010748. JDK 8 uses a different code base to JDK 7.

can you add 8-na to this bug Vinnie ?

7u40-critical-request justification: This bug causes a valid OCSP response to be rejected when the request is a backdated one. SQE certificate revocation interop tests are currently failing and there is no workaround. SQE test: CertPath/CertPathValidatorTest/OCSP_secom_ssl_valid test. (see https://jbs.oracle.com/bugs/browse/INTJDK-7604726 ) The error was introduced by 8004846. A simple 1-line fix corrects the time at which validation of OCSP responses is performed. This problem does occur in JDK 8 but is being fixed as part of 8010748 (because a different code path is used). Code has been reviewed by Sean Mullan and I'm currently seeking a second reviewer.