Skip to content

Commit

Permalink
Flag TRY_LATER as remediable by past validation
Browse files Browse the repository at this point in the history
A stale piece of revocation info can become relevant in the past, since
it affects the control time of the time slide.

Needs further semantic review and positive/negative tests.
  • Loading branch information
MatthiasValvekens committed Nov 14, 2023
1 parent 0431059 commit 9662ac7
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion pyhanko/sign/validation/ades.py
Original file line number Diff line number Diff line change
Expand Up @@ -1242,7 +1242,11 @@ def _pass_contingent_on_revinfo_issuance_poe():
)

if best_signature_time <= validation_time:
if current_time_sub_indic == AdESIndeterminate.REVOKED_NO_POE:
# TODO raise an issue with ESI about TRY_LATER here
if (
current_time_sub_indic == AdESIndeterminate.REVOKED_NO_POE
or current_time_sub_indic == AdESIndeterminate.TRY_LATER
):
_pass_contingent_on_revinfo_issuance_poe()
return cert_path
elif current_time_sub_indic in (
Expand Down Expand Up @@ -1703,6 +1707,7 @@ async def _validate_prima_facie_poe(
AdESIndeterminate.OUT_OF_BOUNDS_NOT_REVOKED,
AdESIndeterminate.CRYPTO_CONSTRAINTS_FAILURE_NO_POE,
AdESIndeterminate.REVOCATION_OUT_OF_BOUNDS_NO_POE,
AdESIndeterminate.TRY_LATER,
}
)

Expand Down

0 comments on commit 9662ac7

Please sign in to comment.