From 58792a7d874588d3deda766984ad0de168a5ac28 Mon Sep 17 00:00:00 2001 From: Matthias Valvekens Date: Thu, 28 Dec 2023 07:02:54 +0100 Subject: [PATCH] Take reference time into account in qualification --- pyhanko/sign/validation/qualified/assess.py | 2 +- pyhanko/sign/validation/qualified/tsp.py | 14 ++++++++------ pyhanko_tests/test_trusted_list.py | 2 +- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/pyhanko/sign/validation/qualified/assess.py b/pyhanko/sign/validation/qualified/assess.py index bdb8e7ff..dec3983a 100644 --- a/pyhanko/sign/validation/qualified/assess.py +++ b/pyhanko/sign/validation/qualified/assess.py @@ -184,7 +184,7 @@ def check_entity_cert_qualified( prelim_status = replace(prelim_status, qualified=True) statuses_found: List[Tuple[CAServiceInformation, QualifiedStatus]] = [] - for sd in self._registry.applicable_tsps_on_path(path): + for sd in self._registry.applicable_tsps_on_path(path, reference_time): # For this subtlety, see the hanging para in the beginning of # section 4 in the CEF eSignature DSS validation algorithm doc putative_status = QualificationAssessor._apply_sd_qualifications( diff --git a/pyhanko/sign/validation/qualified/tsp.py b/pyhanko/sign/validation/qualified/tsp.py index e944f9bd..a9d6ec46 100644 --- a/pyhanko/sign/validation/qualified/tsp.py +++ b/pyhanko/sign/validation/qualified/tsp.py @@ -20,7 +20,6 @@ _TRSTSVC_URI_BASE = 'http://uri.etsi.org/TrstSvc' _TRUSTEDLIST_URI_BASE = f'{_TRSTSVC_URI_BASE}/TrustedList' - __all__ = [ 'CAServiceInformation', 'TSPRegistry', @@ -185,14 +184,17 @@ def applicable_service_definitions( def known_authorities(self) -> Iterable[Authority]: return self._cert_to_si.keys() - # TODO take date into account (and properly track it - # for service definitions) def applicable_tsps_on_path( - self, - path: ValidationPath, + self, path: ValidationPath, moment: datetime ) -> Generator[CAServiceInformation, None, None]: for ca in path.iter_authorities(): - yield from self.applicable_service_definitions(ca) + for service in self.applicable_service_definitions(ca): + valid_from = service.base_info.valid_from + valid_until = service.base_info.valid_until + if valid_from <= moment and ( + not valid_until or valid_until >= moment + ): + yield service class TSPTrustManager(TrustManager): diff --git a/pyhanko_tests/test_trusted_list.py b/pyhanko_tests/test_trusted_list.py index 838f276b..6a4feadc 100644 --- a/pyhanko_tests/test_trusted_list.py +++ b/pyhanko_tests/test_trusted_list.py @@ -826,7 +826,7 @@ def test_tl_override_processing( DUMMY_BASE_INFO = tsp.BaseServiceInformation( service_type=eutl_parse.CA_QC_URI, service_name='Dummy', - valid_from=datetime(2020, 11, 1, tzinfo=timezone.utc), + valid_from=datetime(2015, 11, 1, tzinfo=timezone.utc), valid_until=None, provider_certs=(TESTING_CA_QUALIFIED.get_cert('root'),), additional_info_certificate_type=frozenset([tsp.QcCertType.QC_ESIGN]),