CertificateBuilder accepts aware datetimes for not_valid_after and not_valid_before (#2920)
* CertificateBuilder accepts aware datetimes for not_valid_after and not_valid_before
These functions now accept aware datetimes and convert them to UTC
* Added pytz to test requirements
* Correct pep8 error and improve Changelog wording
* Improve tests and clarify changelog message
* Trim Changelog line length
* Allow RevokedCertificateBuilder and CertificateRevocationListBuilder to accept aware datetimes
* Fix accidental changelog entry
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 44f230a..fad6454 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -20,6 +20,10 @@
methods to ECDSA keys.
* Switched back to the older callback model on Python 3.5 in order to mitigate
the locking callback problem with OpenSSL <1.1.0.
+* :class:`~cryptography.x509.CertificateBuilder`,
+ :class:`~cryptography.x509.CertificateRevocationListBuilder`, and
+ :class:`~cryptography.x509.RevokedCertificateBuilder` now accept timezone
+ aware ``datetime`` objects as method arguments
1.4 - 2016-06-04
diff --git a/setup.py b/setup.py
index 3bacae7..b5c05df 100644
--- a/setup.py
+++ b/setup.py
@@ -62,6 +62,7 @@
"pretend",
"iso8601",
"pyasn1_modules",
+ "pytz",
]
if sys.version_info[:2] > (2, 6):
test_requirements.append("hypothesis>=1.11.4")
diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py
index 5c4e3aa..156bc49 100644
--- a/src/cryptography/x509/base.py
+++ b/src/cryptography/x509/base.py
@@ -19,6 +19,20 @@
_UNIX_EPOCH = datetime.datetime(1970, 1, 1)
+def _convert_to_naive_utc_time(time):
+ """Normalizes a datetime to a naive datetime in UTC.
+
+ time -- datetime to normalize. Assumed to be in UTC if not timezone
+ aware.
+ """
+ if time.tzinfo is not None:
+ offset = time.utcoffset()
+ offset = offset if offset else datetime.timedelta()
+ return time.replace(tzinfo=None) - offset
+ else:
+ return time
+
+
class Version(Enum):
v1 = 0
v3 = 2
@@ -447,6 +461,7 @@
raise TypeError('Expecting datetime object.')
if self._not_valid_before is not None:
raise ValueError('The not valid before may only be set once.')
+ time = _convert_to_naive_utc_time(time)
if time <= _UNIX_EPOCH:
raise ValueError('The not valid before date must be after the unix'
' epoch (1970 January 1).')
@@ -469,6 +484,7 @@
raise TypeError('Expecting datetime object.')
if self._not_valid_after is not None:
raise ValueError('The not valid after may only be set once.')
+ time = _convert_to_naive_utc_time(time)
if time <= _UNIX_EPOCH:
raise ValueError('The not valid after date must be after the unix'
' epoch (1970 January 1).')
@@ -553,6 +569,7 @@
raise TypeError('Expecting datetime object.')
if self._last_update is not None:
raise ValueError('Last update may only be set once.')
+ last_update = _convert_to_naive_utc_time(last_update)
if last_update <= _UNIX_EPOCH:
raise ValueError('The last update date must be after the unix'
' epoch (1970 January 1).')
@@ -570,6 +587,7 @@
raise TypeError('Expecting datetime object.')
if self._next_update is not None:
raise ValueError('Last update may only be set once.')
+ next_update = _convert_to_naive_utc_time(next_update)
if next_update <= _UNIX_EPOCH:
raise ValueError('The last update date must be after the unix'
' epoch (1970 January 1).')
@@ -655,6 +673,7 @@
raise TypeError('Expecting datetime object.')
if self._revocation_date is not None:
raise ValueError('The revocation date may only be set once.')
+ time = _convert_to_naive_utc_time(time)
if time <= _UNIX_EPOCH:
raise ValueError('The revocation date must be after the unix'
' epoch (1970 January 1).')
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 1ce8c61..b1d627c 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -16,6 +16,8 @@
import pytest
+import pytz
+
import six
from cryptography import utils, x509
@@ -1745,6 +1747,30 @@
with pytest.raises(ValueError):
builder.serial_number(20)
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_aware_not_valid_after(self, backend):
+ time = datetime.datetime(2012, 1, 16, 22, 43)
+ tz = pytz.timezone("US/Pacific")
+ time = tz.localize(time)
+ utc_time = datetime.datetime(2012, 1, 17, 6, 43)
+ private_key = RSA_KEY_2048.private_key(backend)
+ cert_builder = x509.CertificateBuilder().not_valid_after(time)
+ cert_builder = cert_builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
+ ).issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
+ ).serial_number(
+ 1
+ ).public_key(
+ private_key.public_key()
+ ).not_valid_before(
+ utc_time - datetime.timedelta(days=365)
+ )
+
+ cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
+ assert cert.not_valid_after == utc_time
+
def test_invalid_not_valid_after(self):
with pytest.raises(TypeError):
x509.CertificateBuilder().not_valid_after(104204304504)
@@ -1767,6 +1793,30 @@
datetime.datetime.now()
)
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_aware_not_valid_before(self, backend):
+ time = datetime.datetime(2012, 1, 16, 22, 43)
+ tz = pytz.timezone("US/Pacific")
+ time = tz.localize(time)
+ utc_time = datetime.datetime(2012, 1, 17, 6, 43)
+ private_key = RSA_KEY_2048.private_key(backend)
+ cert_builder = x509.CertificateBuilder().not_valid_before(time)
+ cert_builder = cert_builder.subject_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
+ ).issuer_name(
+ x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
+ ).serial_number(
+ 1
+ ).public_key(
+ private_key.public_key()
+ ).not_valid_after(
+ utc_time + datetime.timedelta(days=366)
+ )
+
+ cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
+ assert cert.not_valid_before == utc_time
+
def test_invalid_not_valid_before(self):
with pytest.raises(TypeError):
x509.CertificateBuilder().not_valid_before(104204304504)
diff --git a/tests/test_x509_crlbuilder.py b/tests/test_x509_crlbuilder.py
index 96311ee..0d29a3e 100644
--- a/tests/test_x509_crlbuilder.py
+++ b/tests/test_x509_crlbuilder.py
@@ -8,6 +8,8 @@
import pytest
+import pytz
+
from cryptography import x509
from cryptography.hazmat.backends.interfaces import (
DSABackend, EllipticCurveBackend, RSABackend, X509Backend
@@ -36,6 +38,24 @@
x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
)
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_aware_last_update(self, backend):
+ last_time = datetime.datetime(2012, 1, 16, 22, 43)
+ tz = pytz.timezone("US/Pacific")
+ last_time = tz.localize(last_time)
+ utc_last = datetime.datetime(2012, 1, 17, 6, 43)
+ next_time = datetime.datetime(2022, 1, 17, 6, 43)
+ private_key = RSA_KEY_2048.private_key(backend)
+ builder = x509.CertificateRevocationListBuilder().issuer_name(
+ x509.Name([
+ x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
+ ])
+ ).last_update(last_time).next_update(next_time)
+
+ crl = builder.sign(private_key, hashes.SHA256(), backend)
+ assert crl.last_update == utc_last
+
def test_last_update_invalid(self):
builder = x509.CertificateRevocationListBuilder()
with pytest.raises(TypeError):
@@ -53,6 +73,24 @@
with pytest.raises(ValueError):
builder.last_update(datetime.datetime(2002, 1, 1, 12, 1))
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_aware_next_update(self, backend):
+ next_time = datetime.datetime(2022, 1, 16, 22, 43)
+ tz = pytz.timezone("US/Pacific")
+ next_time = tz.localize(next_time)
+ utc_next = datetime.datetime(2022, 1, 17, 6, 43)
+ last_time = datetime.datetime(2012, 1, 17, 6, 43)
+ private_key = RSA_KEY_2048.private_key(backend)
+ builder = x509.CertificateRevocationListBuilder().issuer_name(
+ x509.Name([
+ x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
+ ])
+ ).last_update(last_time).next_update(next_time)
+
+ crl = builder.sign(private_key, hashes.SHA256(), backend)
+ assert crl.next_update == utc_next
+
def test_next_update_invalid(self):
builder = x509.CertificateRevocationListBuilder()
with pytest.raises(TypeError):
diff --git a/tests/test_x509_revokedcertbuilder.py b/tests/test_x509_revokedcertbuilder.py
index bd64b60..e3a0650 100644
--- a/tests/test_x509_revokedcertbuilder.py
+++ b/tests/test_x509_revokedcertbuilder.py
@@ -8,6 +8,8 @@
import pytest
+import pytz
+
from cryptography import x509
from cryptography.hazmat.backends.interfaces import X509Backend
@@ -58,6 +60,22 @@
with pytest.raises(ValueError):
builder.serial_number(4)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_aware_revocation_date(self, backend):
+ time = datetime.datetime(2012, 1, 16, 22, 43)
+ tz = pytz.timezone("US/Pacific")
+ time = tz.localize(time)
+ utc_time = datetime.datetime(2012, 1, 17, 6, 43)
+ serial_number = 333
+ builder = x509.RevokedCertificateBuilder().serial_number(
+ serial_number
+ ).revocation_date(
+ time
+ )
+
+ revoked_certificate = builder.build(backend)
+ assert revoked_certificate.revocation_date == utc_time
+
def test_revocation_date_invalid(self):
with pytest.raises(TypeError):
x509.RevokedCertificateBuilder().revocation_date("notadatetime")