fix(signature): return 422 for certificate validation failures

vitormattos · backportbot-libresign[bot] · commit 952cd8c41c06 · 2026-03-05T23:40:13.000Z
Differentiate certificate validation errors from missing-signature-password flow.\n\nUse HTTP 422 for revoked, invalid, expired, and unverifiable revocation status cases to avoid incorrect UI actions.

Signed-off-by: Vitor Mattos &lt;1079143+vitormattos@users.noreply.github.com&gt;
diff --git a/lib/Service/IdentifyMethod/SignatureMethod/Password.php b/lib/Service/IdentifyMethod/SignatureMethod/Password.php
@@ -63,19 +63,19 @@ private function validateCertificateRevocation(array $certificateData): void {
 		// fail-closed – we cannot confirm the certificate is not revoked.
 		throw new LibresignException(
 			$this->identifyService->getL10n()->t('Certificate revocation status could not be verified'),
-			400
+			422
 		);
 	}
 
 	private function validateCertificateExpiration(array $certificateData): void {
 		if (array_key_exists('validTo_time_t', $certificateData)) {
 			$validTo = $certificateData['validTo_time_t'];
 			if (!is_int($validTo)) {
-				throw new LibresignException($this->identifyService->getL10n()->t('Invalid certificate'), 400);
+				throw new LibresignException($this->identifyService->getL10n()->t('Invalid certificate'), 422);
 			}
 			$now = (new \DateTime())->getTimestamp();
 			if ($validTo <= $now) {
-				throw new LibresignException($this->identifyService->getL10n()->t('Certificate has expired'), 400);
+				throw new LibresignException($this->identifyService->getL10n()->t('Certificate has expired'), 422);
 			}
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -63,19 +63,19 @@ private function validateCertificateRevocation(array $certificateData): void {`
`63`	`63`	`// fail-closed – we cannot confirm the certificate is not revoked.`
`64`	`64`	`throw new LibresignException(`
`65`	`65`	`$this->identifyService->getL10n()->t('Certificate revocation status could not be verified'),`
`66`		`- 400`
	`66`	`+ 422`
`67`	`67`	`);`
`68`	`68`	`}`
`69`	`69`
`70`	`70`	`private function validateCertificateExpiration(array $certificateData): void {`
`71`	`71`	`if (array_key_exists('validTo_time_t', $certificateData)) {`
`72`	`72`	`$validTo = $certificateData['validTo_time_t'];`
`73`	`73`	`if (!is_int($validTo)) {`
`74`		`- throw new LibresignException($this->identifyService->getL10n()->t('Invalid certificate'), 400);`
	`74`	`+ throw new LibresignException($this->identifyService->getL10n()->t('Invalid certificate'), 422);`
`75`	`75`	`}`
`76`	`76`	`$now = (new \DateTime())->getTimestamp();`
`77`	`77`	`if ($validTo <= $now) {`
`78`		`- throw new LibresignException($this->identifyService->getL10n()->t('Certificate has expired'), 400);`
	`78`	`+ throw new LibresignException($this->identifyService->getL10n()->t('Certificate has expired'), 422);`
`79`	`79`	`}`
`80`	`80`	`}`
`81`	`81`	`}`