Is it possible to distinguish the ValidationContext for signer and timestamp authority ? #283
-
|
Hello, First of all, thank you for the excellent work. I'm trying to validate timestamped signatures, but the TSA root CA, is different from the signer's root CA, and I would like (although I admit its a remote possibility) to ensure that the validation could not occur if, eg. the TSA root CA is used for signing (or conversely a trusted signer's root CA's approved certificate used to timestamp the signature). Basically, I would like to make sure that the validation is made with respect to the intended role of each of the CA's I tried (but figured out this is not meant that way) the various trust_root, trust_root_extra, other_certs etc. Is there a way to achieve that goal currently ? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
Hi @GaelC92, Yes, indeed, most validation APIs in pyHanko allow you to supply a separate validation policy for timestamps (and also for attribute certificates, incidentally). Examples:
Hope that helps :). If not, there are other ways to qualify trust very granularly, but those tend to be overkill outside of some very specific use cases. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks a lot ! |
Beta Was this translation helpful? Give feedback.
Hi @GaelC92,
Yes, indeed, most validation APIs in pyHanko allow you to supply a separate validation policy for timestamps (and also for attribute certificates, incidentally).
Examples:
ts_validation_contextinasync_validate_pdf_signature: https://pyhanko.readthedocs.io/en/latest/api-docs/pyhanko.sign.validation.html#pyhanko.sign.validation.pdf_embedded.async_validate_pdf_signaturets_cert_validation_policyinSignatureValidationSpec(in the new, experimental AdES validation package): https://pyhanko.readthedocs.io/en/latest/api-docs/pyhanko.sign.validation.html#pyhanko.sign.validation.policy_decl.SignatureValidationSpec.ts_cert_validation_policyHope that helps :). If not, there are ot…