From 1e520a47cbcd2d4c671786baa4e4091c4db7eb73 Mon Sep 17 00:00:00 2001 From: Matthias Valvekens Date: Fri, 10 Nov 2023 01:44:56 +0100 Subject: [PATCH] Flag TRY_LATER as remediable by past validation A stale piece of revocation info can become relevant in the past, since it affects the control time of the time slide. Needs further semantic review and positive/negative tests. --- pyhanko/sign/validation/ades.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pyhanko/sign/validation/ades.py b/pyhanko/sign/validation/ades.py index 9d14d292..51cc081c 100644 --- a/pyhanko/sign/validation/ades.py +++ b/pyhanko/sign/validation/ades.py @@ -1242,7 +1242,11 @@ def _pass_contingent_on_revinfo_issuance_poe(): ) if best_signature_time <= validation_time: - if current_time_sub_indic == AdESIndeterminate.REVOKED_NO_POE: + # TODO raise an issue with ESI about TRY_LATER here + if ( + current_time_sub_indic == AdESIndeterminate.REVOKED_NO_POE + or current_time_sub_indic == AdESIndeterminate.TRY_LATER + ): _pass_contingent_on_revinfo_issuance_poe() return cert_path elif current_time_sub_indic in ( @@ -1703,6 +1707,7 @@ async def _validate_prima_facie_poe( AdESIndeterminate.OUT_OF_BOUNDS_NOT_REVOKED, AdESIndeterminate.CRYPTO_CONSTRAINTS_FAILURE_NO_POE, AdESIndeterminate.REVOCATION_OUT_OF_BOUNDS_NO_POE, + AdESIndeterminate.TRY_LATER, } )