pyhanko_certvalidator.ltv package

Submodules

pyhanko_certvalidator.ltv.ades_past module

async pyhanko_certvalidator.ltv.ades_past.past_validate(path: ValidationPath, validation_policy_spec: CertValidationPolicySpec, validation_data_handlers: ValidationDataHandlers, init_control_time: datetime | None = None, best_signature_time: datetime | None = None) → datetime

Execute the ETSI EN 319 102-1 past certificate validation algorithm against the given path (ETSI EN 319 102-1, § 5.6.2.1).

Instead of merely evaluating X.509 validation constraints, the algorithm will perform a full point-in-time reevaluation of the path at the control time mandated by the specification. This implies that a caller implementing the past signature validation algorithm no longer needs to explicitly reevaluate CA certificate revocation times and/or algorithm constraints based on POEs.

Warning

This is incubating internal API.

Parameters:

• path – The prospective validation path against which to execute the algorithm.

• validation_policy_spec – The validation policy specification.

• validation_data_handlers – The handlers used to manage collected certificates,revocation information and proof-of-existence records.

• init_control_time – Initial control time; defaults to the current time.

• best_signature_time – Usage time to use in freshness computations.

Returns:

The control time returned by the time sliding algorithm. Informally, the last time at which the certificate was known to be valid.

pyhanko_certvalidator.ltv.errors module

exception pyhanko_certvalidator.ltv.errors.PastValidatePrecheckFailure(message: str)

Bases: ValidationError

exception pyhanko_certvalidator.ltv.errors.TimeSlideFailure(message: str)

Bases: ValidationError

pyhanko_certvalidator.ltv.poe module

class pyhanko_certvalidator.ltv.poe.ValidationObjectType(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

Types of validation objects recognised by ETSI TS 119 102-2.

CERTIFICATE = 'certificate'

CRL = 'CRL'

OCSP_RESPONSE = 'OCSPResponse'

TIMESTAMP = 'timestamp'

EVIDENCE_RECORD = 'evidencerecord'

PUBLIC_KEY = 'publicKey'

SIGNED_DATA = 'signedData'

OTHER = 'other'

urn()

class pyhanko_certvalidator.ltv.poe.ValidationObject(object_type: ValidationObjectType, value: Any)

Bases: object

A validation object used in the course of a validation operation for which proofs of existence can potentially be gathered.

object_type: ValidationObjectType

The type of validation object.

value: Any

The actual object.

Currently, the following types are supported explicitly. Others must currently be supplied as bytes.

• CRLContainer: ValidationObjectType.CRL

• OCSPContainer: ValidationObjectType.OCSP_RESPONSE

• x509.Certificate: ValidationObjectType.CERTIFICATE

class pyhanko_certvalidator.ltv.poe.POEType(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

PROVIDED = 'provided'

VALIDATION = 'validation'

POLICY = 'policy'

property urn: str

class pyhanko_certvalidator.ltv.poe.KnownPOE(poe_type: pyhanko_certvalidator.ltv.poe.POEType, digest: bytes, poe_time: datetime.datetime, validation_object: pyhanko_certvalidator.ltv.poe.ValidationObject | None = None)

Bases: object

poe_type: POEType

digest: bytes

poe_time: datetime

validation_object: ValidationObject | None = None

class pyhanko_certvalidator.ltv.poe.POEManager(current_dt_override: datetime | None = None)

Bases: object

Class to manage proof-of-existence (POE) claims.

Parameters:

current_dt_override – Override the current time.

register(data: bytes | CRLContainer | OCSPContainer | Certificate, poe_type: POEType, dt: datetime | None = None) → KnownPOE

Register a new POE claim if no POE for an earlier time is available.

Parameters:

• data – Data to register a POE claim for.

• poe_type – The type of POE.

• dt – The POE time to register. If None, assume the current time.

Returns:

The oldest POE datetime available.

register_by_digest(digest: bytes, poe_type: POEType, dt: datetime | None = None) → KnownPOE

Register a new POE claim if no POE for an earlier time is available.

Parameters:

• digest – SHA-256 digest of the data to register a POE claim for.

• dt – The POE time to register. If None, assume the current time.

• poe_type – The type of POE.

Returns:

The oldest POE datetime available.

register_known_poe(known_poe: KnownPOE) → KnownPOE

Register a new POE claim if no POE for an earlier time is available.

Parameters:

known_poe – The POE object to register.

Returns:

The oldest POE for the given digest.

pyhanko_certvalidator.ltv.poe.digest_for_poe(data: bytes) → bytes

pyhanko_certvalidator.ltv.time_slide module

async pyhanko_certvalidator.ltv.time_slide.time_slide(path: ValidationPath, init_control_time: datetime, revinfo_manager: RevinfoManager, rev_trust_policy: CertRevTrustPolicy, algo_usage_policy: AlgorithmUsagePolicy | None, time_tolerance: timedelta) → datetime

Execute the ETSI EN 319 102-1 time slide algorithm against the given path.

Warning

This is incubating internal API.

Note

This implementation will also attempt to take into account chains of trust of indirect CRLs. This is not a requirement of the specification, but also somewhat unlikely to arise in practice in cases where AdES compliance actually matters.

Parameters:

• path – The prospective validation path against which to execute the time slide algorithm.

• init_control_time – The initial control time, typically the current time.

• revinfo_manager – The revocation info manager.

• rev_trust_policy – The trust policy for revocation information.

• algo_usage_policy – The algorithm usage policy.

• time_tolerance – The tolerance to apply when evaluating time-related constraints.

Returns:

The resulting control time.

async pyhanko_certvalidator.ltv.time_slide.ades_gather_prima_facie_revinfo(path: ValidationPath, revinfo_manager: RevinfoManager, control_time: datetime, revocation_checking_rule: RevocationCheckingRule) → Tuple[List[CRLOfInterest], List[OCSPResponseOfInterest]]

Gather potentially relevant revocation information for the leaf certificate of a candidate validation path. Only the scope of the revocation information will be checked, no detailed validation will occur.

Parameters:

• path – The candidate validation path.

• revinfo_manager – The revocation info manager.

• control_time – The time horizon that serves as a relevance cutoff.

• revocation_checking_rule – Revocation info rule controlling which kind(s) of revocation information will be fetched.

Returns:

A 2-element tuple containing a list of the fetched CRLs and OCSP responses, respectively.

pyhanko_certvalidator.ltv.types module

class pyhanko_certvalidator.ltv.types.ValidationTimingInfo(validation_time: datetime.datetime, best_signature_time: datetime.datetime, point_in_time_validation: bool)

Bases: object

validation_time: datetime

best_signature_time: datetime

point_in_time_validation: bool

classmethod now(tz: tzinfo | None = None) → ValidationTimingInfo

class pyhanko_certvalidator.ltv.types.ValidationTimingParams(timing_info: pyhanko_certvalidator.ltv.types.ValidationTimingInfo, time_tolerance: datetime.timedelta)

Bases: object

timing_info: ValidationTimingInfo

time_tolerance: timedelta

property validation_time

property best_signature_time

property point_in_time_validation

class pyhanko_certvalidator.ltv.types.IssuedItemContainer

Bases: ABC

A container for some data object issued by an entity (e.g. a certificate).

property issuance_date: datetime | None

The issuance date of the item.

Module contents