Take reference time into account in qualification

MatthiasValvekens · Nov 17, 2024 · c2f10c6 · c2f10c6
1 parent 1b27a63
commit c2f10c6
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 8 deletions.
diff --git a/pyhanko/sign/validation/qualified/assess.py b/pyhanko/sign/validation/qualified/assess.py
@@ -184,7 +184,7 @@ def check_entity_cert_qualified(
                 prelim_status = replace(prelim_status, qualified=True)
 
         statuses_found: List[Tuple[CAServiceInformation, QualifiedStatus]] = []
-        for sd in self._registry.applicable_tsps_on_path(path):
+        for sd in self._registry.applicable_tsps_on_path(path, reference_time):
             # For this subtlety, see the hanging para in the beginning of
             # section 4 in the CEF eSignature DSS validation algorithm doc
             putative_status = QualificationAssessor._apply_sd_qualifications(

diff --git a/pyhanko/sign/validation/qualified/tsp.py b/pyhanko/sign/validation/qualified/tsp.py
@@ -20,7 +20,6 @@
 _TRSTSVC_URI_BASE = 'http://uri.etsi.org/TrstSvc'
 _TRUSTEDLIST_URI_BASE = f'{_TRSTSVC_URI_BASE}/TrustedList'
 
-
 __all__ = [
     'CAServiceInformation',
     'TSPRegistry',
@@ -185,14 +184,17 @@ def applicable_service_definitions(
     def known_authorities(self) -> Iterable[Authority]:
         return self._cert_to_si.keys()
 
-    # TODO take date into account (and properly track it
-    #  for service definitions)
     def applicable_tsps_on_path(
-        self,
-        path: ValidationPath,
+        self, path: ValidationPath, moment: datetime
     ) -> Generator[CAServiceInformation, None, None]:
         for ca in path.iter_authorities():
-            yield from self.applicable_service_definitions(ca)
+            for service in self.applicable_service_definitions(ca):
+                valid_from = service.base_info.valid_from
+                valid_until = service.base_info.valid_until
+                if valid_from <= moment and (
+                    not valid_until or valid_until >= moment
+                ):
+                    yield service
 
 
 class TSPTrustManager(TrustManager):

diff --git a/pyhanko_tests/test_trusted_list.py b/pyhanko_tests/test_trusted_list.py
@@ -826,7 +826,7 @@ def test_tl_override_processing(
 DUMMY_BASE_INFO = tsp.BaseServiceInformation(
     service_type=eutl_parse.CA_QC_URI,
     service_name='Dummy',
-    valid_from=datetime(2020, 11, 1, tzinfo=timezone.utc),
+    valid_from=datetime(2015, 11, 1, tzinfo=timezone.utc),
     valid_until=None,
     provider_certs=(TESTING_CA_QUALIFIED.get_cert('root'),),
     additional_info_certificate_type=frozenset([tsp.QcCertType.QC_ESIGN]),