Menu
▾
▴
Re: [Ejbca-develop] OCSP Archive Cutoff date not being calculated by substracting from the producedAt time
|
From: Tomas G. <to...@pr...> - 2019-05-28 10:37:29
|
Hi, Your code is more correct, and right should be right. I applied the patch in https://jira.primekey.se/browse/ECA-8230. In the case of privateKeyUsagePeriod the difference could be many minutes, or even hours, since notNefore is by default -10m and can be set to any value, past or present. In this case it is only a few lines of java code between the two instances of getting current time, which is unlikely to take even 1ms. Since times are rounded to seconds it the probability of 1 second difference is small. Cheers, Tomas --- PrimeKey Tech Days 2019 Stockholm, Sweden 17-18 September www.primekey.com/tech-days On 2019-05-28 00:36, Jaime Hablutzel wrote: > RFC 6960, "4.4.4. Archive Cutoff" says: > > An OCSP responder MAY choose to retain revocation information beyond > a certificate’s expiration. The date obtained by *subtracting this > retention interval value from the producedAt time* in a response is > defined as the certificate’s "archive cutoff" date. > > > But current code is not substracting the retention interval from the > exact producedAt time, but from a freshly obtained current time. > > Simple patch follows: > > --- > modules/cesecore-ejb/src/org/cesecore/certificates/ocsp/OcspResponseGeneratorSessionBean.java > (revision 32428) > +++ > modules/cesecore-ejb/src/org/cesecore/certificates/ocsp/OcspResponseGeneratorSessionBean.java > (date 1558989475000) > @@ -1353,8 +1353,8 @@ > log.info > <http://log.info>(intres.getLocalizedMessage("ocsp.infoaddedstatusinfo", > sStatus, certId.getSerialNumber().toString(16), caCertificateSubjectDn)); > respItem = new OCSPResponseItem(certId, certStatus, > nextUpdate); > if (addArchiveCutoff) { > - addArchiveCutoff(respItem); > producedAt = new Date(); > + addArchiveCutoff(respItem, producedAt); > } > } > > @@ -1555,12 +1555,12 @@ > return false; > } > > - private void addArchiveCutoff(OCSPResponseItem respItem) { > + private void addArchiveCutoff(OCSPResponseItem respItem, Date > producedAt) { > long archPeriod = OcspConfiguration.getExpiredArchiveCutoff(); > if (archPeriod == -1) { > return; > } > - long res = System.currentTimeMillis() - archPeriod; > + long res = producedAt.getTime() - archPeriod; > ASN1OctetString archiveCutoffValue; > try { > archiveCutoffValue = new DEROctetString(new > ASN1GeneralizedTime(new Date(res))); > > And I think that this change is actually required for compliance with > the last part > of https://jira.primekey.se/browse/ECA-3314?focusedCommentId=24954&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-24954: > > I think we should ensure that there are no differences. We had some > differences before in CAs with privateKeyUsagePeriod and notAfter, > and that turned out to be not good. > > > -- > Jaime Hablutzel - RPC 994690880 > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
