8191358: Restore TSA certificate expiration check

Reviewed-by: coffeys, rhalade

src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java

@@ -31,6 +31,7 @@ import java.security.cert.*;
 import java.util.*;
 
 import sun.security.provider.certpath.PKIX.ValidatorParams;
+import sun.security.validator.Validator;
 import sun.security.x509.X509CertImpl;
 import sun.security.util.Debug;
 
@@ -189,12 +190,21 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi {
                                              params.policyQualifiersRejected(),
                                              rootNode);
         certPathCheckers.add(pc);
-        // default value for date is current time
+
-        BasicChecker bc;
+        // the time that the certificate validity period should be
-        bc = new BasicChecker(anchor,
+        // checked against
-                (params.timestamp() == null ? params.date() :
+        Date timeToCheck = null;
-                        params.timestamp().getTimestamp()),
+        // use timestamp if checking signed code that is timestamped, otherwise
-                params.sigProvider(), false);
+        // use date parameter from PKIXParameters
+        if ((params.variant() == Validator.VAR_CODE_SIGNING ||
+             params.variant() == Validator.VAR_PLUGIN_CODE_SIGNING) &&
+             params.timestamp() != null) {
+            timeToCheck = params.timestamp().getTimestamp();
+        } else {
+            timeToCheck = params.date();
+        }
+        BasicChecker bc = new BasicChecker(anchor, timeToCheck,
+                                           params.sigProvider(), false);
         certPathCheckers.add(bc);
 
         boolean revCheckerAdded = false;