On Tue, 28 Apr 2026 21:44:05 GMT, Artur Barashev <[email protected]> wrote:
>> test/jdk/sun/security/ssl/SignatureScheme/TLSCurveMismatch.java line 211: >> >>> 209: .setNotBefore( >>> 210: Date.from(Instant.now().minus(1, >>> ChronoUnit.HOURS))) >>> 211: .setNotAfter(Date.from(Instant.now().plus(1, >>> ChronoUnit.HOURS))) >> >> It seems like this could create a potential validity nesting issue, but it >> would likely take a really slow system such that the notAfter date of the >> end entity cert potentially could be one or two seconds later than the >> notAfter of its CA. > > Not sure I understand, both CA and EE have a validity that starts 1h before > now and ends 1h after now. Correct, and "now" is evaluated at different points in time. It would almost always be during the same second and therefore no problem, but on a slow system under load, or right at the edge of a second "now" might be one second in the future when the EE cert has its validity created, which puts the notAfter potentially one second beyond beyond the notAfter of the CA that issues it. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/30944#discussion_r3157451170
