Hi @lnagel, thanks for opening this PR and for the detailed issue writeup in #13!

This looks like a legitimate gap in the validation logic, we'll take a closer look at the changes and the test coverage.
Before we dive into the review, it would be helpful to understand the context a bit better: could you explain in more detail how you came across this problem? Was this something you hit in production, or did you discover it through a code review / audit? Also, we're curious how you and your team are using pyasice. What's your use case and setup? Understanding that would help us evaluate the impact and make sure the fix works well for the scenarios people actually rely on.

We'll get back to you with a proper review soon. Thanks again for the contribution!

could you explain in more detail how you came across this problem? Was this something you hit in production, or did you discover it through a code review / audit?

Our customers have been sporadically experiencing situations where the signing process succeeds normally, but later when opening the .asice containers, the signatures render as "invalid" -- legally not binding. We have been tracing this for a while now and performed a security and compliance audit to pyasice. We covered several gaps in the implementation vs. required standards. This bugfix here is for the case where an incorrect OCSP server was consulted and pyasice considered its response a success, when in reality, that server replied with "certificate status unknown". In reality, for newer Smart ID certificates, a different server must be consulted.

I filed the results of that audit into GitHub issue tickets in case they might be of use.

Also, we're curious how you and your team are using pyasice. What's your use case and setup? Understanding that would help us evaluate the impact and make sure the fix works well for the scenarios people actually rely on.

We currently have a digital signing service in production with pyasice deployed on a public cloud. Basically this uses all the big three signing methods: smart-id, mobile-id and smartcards. This was built around pyasice as it was very convenient for handling the container files directly from an async Python context.

After review of the compliance audit results, consulting with the customer and within the team, we decided ultimately to switch to using libdigidocpp and libcdoc directly from python.

For this purpose we are publishing and maintaining now the Python bindings for both libraries:

• https://pypi.org/project/pydigidoc/
• https://pypi.org/project/pycdoc/

Sources for the bindings are available in GitHub at:

• https://github.com/namespace-ee/pydigidoc
• https://github.com/namespace-ee/pycdoc