Add the ability to set a custom verification time on X509Store (#567)
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index efc008b..19cebf1 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -23,7 +23,8 @@
Changes:
^^^^^^^^
-*none*
+- Added ``OpenSSL.X509Store.set_time()`` to set a custom verification time when verifying certificate chains.
+ `#567 <https://github.com/pyca/pyopenssl/pull/567>`_
----
diff --git a/setup.py b/setup.py
index d4c27ad..4cdf59e 100755
--- a/setup.py
+++ b/setup.py
@@ -95,7 +95,7 @@
package_dir={"": "src"},
install_requires=[
# Fix cryptographyMinimum in tox.ini when changing this!
- "cryptography>=1.3.4",
+ "cryptography>=1.6",
"six>=1.5.2"
],
)
diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py
index 79440d7..3c8b26b 100644
--- a/src/OpenSSL/crypto.py
+++ b/src/OpenSSL/crypto.py
@@ -1520,6 +1520,28 @@
"""
_openssl_assert(_lib.X509_STORE_set_flags(self._store, flags) != 0)
+ def set_time(self, vfy_time):
+ """
+ Set the time against which the certificates are verified.
+
+ Normally the current time is used.
+
+ .. note::
+
+ For example, you can determine if a certificate was valid at a given
+ time.
+
+ .. versionadded:: 16.3.0
+
+ :param datetime vfy_time: The verification time to set on this store.
+ :return: ``None`` if the verification time was successfully set.
+ """
+ param = _lib.X509_VERIFY_PARAM_new()
+ param = _ffi.gc(param, _lib.X509_VERIFY_PARAM_free)
+
+ _lib.X509_VERIFY_PARAM_set_time(param, int(vfy_time.strftime('%s')))
+ _openssl_assert(_lib.X509_STORE_set1_param(self._store, param) != 0)
+
X509StoreType = X509Store
diff --git a/tests/test_crypto.py b/tests/test_crypto.py
index e75e3ad..e4cf496 100644
--- a/tests/test_crypto.py
+++ b/tests/test_crypto.py
@@ -3728,6 +3728,27 @@
store_ctx.set_store(store_good)
self.assertEqual(store_ctx.verify_certificate(), None)
+ def test_verify_with_time(self):
+ """
+ `verify_certificate` raises error when the verification time is
+ set at notAfter.
+ """
+ store = X509Store()
+ store.add_cert(self.root_cert)
+ store.add_cert(self.intermediate_cert)
+
+ expire_time = self.intermediate_server_cert.get_notAfter()
+ expire_datetime = datetime.strptime(
+ expire_time.decode('utf-8'), '%Y%m%d%H%M%SZ'
+ )
+ store.set_time(expire_datetime)
+
+ store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+ with pytest.raises(X509StoreContextError) as exc:
+ store_ctx.verify_certificate()
+
+ assert exc.value.args[0][2] == 'certificate has expired'
+
class SignVerifyTests(TestCase):
"""
diff --git a/tox.ini b/tox.ini
index 964b88c..f323bb0 100644
--- a/tox.ini
+++ b/tox.ini
@@ -9,7 +9,7 @@
coverage>=4.2
pytest>=3.0.1
cryptographyMaster: git+https://github.com/pyca/cryptography.git
- cryptographyMinimum: cryptography<1.4
+ cryptographyMinimum: cryptography<1.7
setenv =
# Do not allow the executing environment to pollute the test environment
# with extra packages.