[Ejbca-develop] OCSP Archive Cutoff date not being calculated by substracting from the producedAt time

[Jaime H. <hab...@gm...>]

RFC 6960, "4.4.4. Archive Cutoff" says:

An OCSP responder MAY choose to retain revocation information beyond
> a certificate’s expiration. The date obtained by
> *subtracting thisretention interval value from the producedAt time* in a
> response is
> defined as the certificate’s "archive cutoff" date.


But current code is not substracting the retention interval from the exact
producedAt time, but from a freshly obtained current time.

Simple patch follows:

---
modules/cesecore-ejb/src/org/cesecore/certificates/ocsp/OcspResponseGeneratorSessionBean.java
(revision 32428)
+++
modules/cesecore-ejb/src/org/cesecore/certificates/ocsp/OcspResponseGeneratorSessionBean.java
(date 1558989475000)
@@ -1353,8 +1353,8 @@

log.info(intres.getLocalizedMessage("ocsp.infoaddedstatusinfo",
sStatus, certId.getSerialNumber().toString(16), caCertificateSubjectDn));
                     respItem = new OCSPResponseItem(certId, certStatus,
nextUpdate);
                     if (addArchiveCutoff) {
-                        addArchiveCutoff(respItem);
                         producedAt = new Date();
+                        addArchiveCutoff(respItem, producedAt);
                     }
                 }

@@ -1555,12 +1555,12 @@
         return false;
     }

-    private void addArchiveCutoff(OCSPResponseItem respItem) {
+    private void addArchiveCutoff(OCSPResponseItem respItem, Date
producedAt) {
         long archPeriod = OcspConfiguration.getExpiredArchiveCutoff();
         if (archPeriod == -1) {
             return;
         }
-        long res = System.currentTimeMillis() - archPeriod;
+        long res = producedAt.getTime() - archPeriod;
         ASN1OctetString archiveCutoffValue;
         try {
             archiveCutoffValue = new DEROctetString(new
ASN1GeneralizedTime(new Date(res)));

And I think that this change is actually required for compliance with the
last part of
https://jira.primekey.se/browse/ECA-3314?focusedCommentId=24954&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-24954
:

I think we should ensure that there are no differences. We had some
> differences before in CAs with privateKeyUsagePeriod and notAfter, and that
> turned out to be not good.


-- 
Jaime Hablutzel -  RPC 994690880