Add some more comments in the PKIX date() and timestamp() methods.

Remove extra newline from debugging output.
openjdk · Sep 17, 2021 · d797f32 · d797f32
1 parent e52a451
commit d797f32
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 4 deletions.
diff --git a/...java.base/share/classes/sun/security/provider/certpath/CertPathConstraintsParameters.java b/...java.base/share/classes/sun/security/provider/certpath/CertPathConstraintsParameters.java
@@ -103,7 +103,7 @@ public String extendedExceptionMsg() {
     @Override
     public String toString() {
         StringBuilder sb = new StringBuilder("[\n");
-        sb.append("\n  Variant: ").append(variant);
+        sb.append("  Variant: ").append(variant);
         if (anchor != null) {
             sb.append("\n  Anchor: ").append(anchor);
         }

diff --git a/src/java.base/share/classes/sun/security/provider/certpath/PKIX.java b/src/java.base/share/classes/sun/security/provider/certpath/PKIX.java
@@ -157,8 +157,13 @@ List<CertStore> certStores() {
         }
         Date date() {
             if (!gotDate) {
-                // use timestamp if checking signed code that is
-                // timestamped, otherwise use date parameter
+                // Use timestamp if checking signed code that is
+                // timestamped, otherwise use date parameter.
+                // Note that TSA server certificates do not use the
+                // timestamp, which means that an expired TSA certificate
+                // is considered a validation failure. This policy means
+                // that signed and timestamped code is valid until the TSA
+                // certificate expires (assuming all other checks are valid).
                 if (timestamp != null &&
                     variant.equals(Validator.VAR_CODE_SIGNING)) {
                     date = timestamp.getTimestamp();
@@ -210,6 +215,9 @@ PKIXParameters getPKIXParameters() {
         String variant() {
             return variant;
         }
+        // The timestamp param is passed as the date param when creating an
+        // AlgorithmChecker. An AlgorithmChecker always uses the timestamp
+        // if specified in order to enforce the denyAfter constraint.
         Date timestamp() {
             // return timestamp date if set, otherwise use date parameter
             if (timestampDate == null) {

diff --git a/src/java.base/share/classes/sun/security/util/JarConstraintsParameters.java b/src/java.base/share/classes/sun/security/util/JarConstraintsParameters.java
@@ -184,7 +184,7 @@ public String extendedExceptionMsg() {
     @Override
     public String toString() {
         StringBuilder sb = new StringBuilder("[\n");
-        sb.append("\n  Variant: ").append(getVariant());
+        sb.append("  Variant: ").append(getVariant());
         sb.append("\n  Certs Issued by Anchor:");
         for (X509Certificate cert : certsIssuedByAnchor) {
             sb.append("\n    Cert Issuer: ")