OCSP update time validation seems incorrect

[timukasr]

From the description, it seems that thisUpdate and nextUpdate should be checked agaisnt system local time, but the code checks it againts producetAt value from OCSP response, so no matter the system time, response is always valid:

web-eid-authtoken-validation-java/src/main/java/eu/webeid/security/validator/ocsp/OcspResponseValidator.java

Lines 80 to 102 in c919aa5

	public static void validateCertificateStatusUpdateTime(SingleResp certStatusResponse, Date producedAt) throws UserCertificateOCSPCheckFailedException {
	// From RFC 2560, https://www.ietf.org/rfc/rfc2560.txt:
	// 4.2.2. Notes on OCSP Responses
	// 4.2.2.1. Time
	// Responses whose nextUpdate value is earlier than
	// the local system time value SHOULD be considered unreliable.
	// Responses whose thisUpdate time is later than the local system time
	// SHOULD be considered unreliable.
	// If nextUpdate is not set, the responder is indicating that newer
	// revocation information is available all the time.
	final Date notAllowedBefore = new Date(producedAt.getTime() - ALLOWED_TIME_SKEW);
	final Date notAllowedAfter = new Date(producedAt.getTime() + ALLOWED_TIME_SKEW);
	final Date thisUpdate = certStatusResponse.getThisUpdate();
	final Date nextUpdate = certStatusResponse.getNextUpdate() != null ? certStatusResponse.getNextUpdate() : thisUpdate;
	if (notAllowedAfter.before(thisUpdate) ||
	notAllowedBefore.after(nextUpdate)) {
	throw new UserCertificateOCSPCheckFailedException("Certificate status update time check failed: " +
	"notAllowedBefore: " + toUtcString(notAllowedBefore) +
	", notAllowedAfter: " + toUtcString(notAllowedAfter) +
	", thisUpdate: " + toUtcString(thisUpdate) +
	", nextUpdate: " + toUtcString(certStatusResponse.getNextUpdate()));
	}
	}

[mrts]

Thank you for highlighting the issue! Yes, this is a mistake - the comparison should be made against the local system time, not the producedAt time from the OCSP response according to RFC 2560. This will be fixed with #55.