On Tue, 28 Apr 2026 21:57:30 GMT, Artur Barashev <[email protected]> wrote:
>> Correct, and "now" is evaluated at different points in time. It would >> almost always be during the same second and therefore no problem, but on a >> slow system under load, or right at the edge of a second "now" might be one >> second in the future when the EE cert has its validity created, which puts >> the notAfter potentially one second beyond beyond the notAfter of the CA >> that issues it. > > Ok, but how does it matter for this test? If the PKIX path building cares about validity nesting violations, possibly yes. You might not see it for a long time and then you'll get a rare failure here and there. That's why when I use CertificateBuilder to build chains I make a point of ensuring the EE cert's validity window will always be inside that of the CAs. The code as written will do that almost always, but in rare cases maybe not. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/30944#discussion_r3157482582
