diff options
author | InvalidInterrupt <InvalidInterrupt@users.noreply.github.com> | 2016-08-16 19:39:31 -0700 |
---|---|---|
committer | Alex Gaynor <alex.gaynor@gmail.com> | 2016-08-16 22:39:31 -0400 |
commit | 8e66ca6813016d9fc6f57d5f1e50530fc39f78ae (patch) | |
tree | 630a57899cf44a6c98f7928c065da04f16504267 | |
parent | dcbd220ee6b4e23f292897e1d6b1e26004ecfd64 (diff) | |
download | cryptography-8e66ca6813016d9fc6f57d5f1e50530fc39f78ae.tar.gz cryptography-8e66ca6813016d9fc6f57d5f1e50530fc39f78ae.tar.bz2 cryptography-8e66ca6813016d9fc6f57d5f1e50530fc39f78ae.zip |
CertificateBuilder accepts aware datetimes for not_valid_after and not_valid_before (#2920)
* CertificateBuilder accepts aware datetimes for not_valid_after and not_valid_before
These functions now accept aware datetimes and convert them to UTC
* Added pytz to test requirements
* Correct pep8 error and improve Changelog wording
* Improve tests and clarify changelog message
* Trim Changelog line length
* Allow RevokedCertificateBuilder and CertificateRevocationListBuilder to accept aware datetimes
* Fix accidental changelog entry
-rw-r--r-- | CHANGELOG.rst | 4 | ||||
-rw-r--r-- | setup.py | 1 | ||||
-rw-r--r-- | src/cryptography/x509/base.py | 19 | ||||
-rw-r--r-- | tests/test_x509.py | 50 | ||||
-rw-r--r-- | tests/test_x509_crlbuilder.py | 38 | ||||
-rw-r--r-- | tests/test_x509_revokedcertbuilder.py | 18 |
6 files changed, 130 insertions, 0 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 44f230ad..fad6454e 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -20,6 +20,10 @@ Changelog methods to ECDSA keys. * Switched back to the older callback model on Python 3.5 in order to mitigate the locking callback problem with OpenSSL <1.1.0. +* :class:`~cryptography.x509.CertificateBuilder`, + :class:`~cryptography.x509.CertificateRevocationListBuilder`, and + :class:`~cryptography.x509.RevokedCertificateBuilder` now accept timezone + aware ``datetime`` objects as method arguments 1.4 - 2016-06-04 @@ -62,6 +62,7 @@ test_requirements = [ "pretend", "iso8601", "pyasn1_modules", + "pytz", ] if sys.version_info[:2] > (2, 6): test_requirements.append("hypothesis>=1.11.4") diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index 5c4e3aad..156bc493 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -19,6 +19,20 @@ from cryptography.x509.name import Name _UNIX_EPOCH = datetime.datetime(1970, 1, 1) +def _convert_to_naive_utc_time(time): + """Normalizes a datetime to a naive datetime in UTC. + + time -- datetime to normalize. Assumed to be in UTC if not timezone + aware. + """ + if time.tzinfo is not None: + offset = time.utcoffset() + offset = offset if offset else datetime.timedelta() + return time.replace(tzinfo=None) - offset + else: + return time + + class Version(Enum): v1 = 0 v3 = 2 @@ -447,6 +461,7 @@ class CertificateBuilder(object): raise TypeError('Expecting datetime object.') if self._not_valid_before is not None: raise ValueError('The not valid before may only be set once.') + time = _convert_to_naive_utc_time(time) if time <= _UNIX_EPOCH: raise ValueError('The not valid before date must be after the unix' ' epoch (1970 January 1).') @@ -469,6 +484,7 @@ class CertificateBuilder(object): raise TypeError('Expecting datetime object.') if self._not_valid_after is not None: raise ValueError('The not valid after may only be set once.') + time = _convert_to_naive_utc_time(time) if time <= _UNIX_EPOCH: raise ValueError('The not valid after date must be after the unix' ' epoch (1970 January 1).') @@ -553,6 +569,7 @@ class CertificateRevocationListBuilder(object): raise TypeError('Expecting datetime object.') if self._last_update is not None: raise ValueError('Last update may only be set once.') + last_update = _convert_to_naive_utc_time(last_update) if last_update <= _UNIX_EPOCH: raise ValueError('The last update date must be after the unix' ' epoch (1970 January 1).') @@ -570,6 +587,7 @@ class CertificateRevocationListBuilder(object): raise TypeError('Expecting datetime object.') if self._next_update is not None: raise ValueError('Last update may only be set once.') + next_update = _convert_to_naive_utc_time(next_update) if next_update <= _UNIX_EPOCH: raise ValueError('The last update date must be after the unix' ' epoch (1970 January 1).') @@ -655,6 +673,7 @@ class RevokedCertificateBuilder(object): raise TypeError('Expecting datetime object.') if self._revocation_date is not None: raise ValueError('The revocation date may only be set once.') + time = _convert_to_naive_utc_time(time) if time <= _UNIX_EPOCH: raise ValueError('The revocation date must be after the unix' ' epoch (1970 January 1).') diff --git a/tests/test_x509.py b/tests/test_x509.py index 1ce8c611..b1d627c3 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -16,6 +16,8 @@ from pyasn1_modules import rfc2459 import pytest +import pytz + import six from cryptography import utils, x509 @@ -1745,6 +1747,30 @@ class TestCertificateBuilder(object): with pytest.raises(ValueError): builder.serial_number(20) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_aware_not_valid_after(self, backend): + time = datetime.datetime(2012, 1, 16, 22, 43) + tz = pytz.timezone("US/Pacific") + time = tz.localize(time) + utc_time = datetime.datetime(2012, 1, 17, 6, 43) + private_key = RSA_KEY_2048.private_key(backend) + cert_builder = x509.CertificateBuilder().not_valid_after(time) + cert_builder = cert_builder.subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).serial_number( + 1 + ).public_key( + private_key.public_key() + ).not_valid_before( + utc_time - datetime.timedelta(days=365) + ) + + cert = cert_builder.sign(private_key, hashes.SHA256(), backend) + assert cert.not_valid_after == utc_time + def test_invalid_not_valid_after(self): with pytest.raises(TypeError): x509.CertificateBuilder().not_valid_after(104204304504) @@ -1767,6 +1793,30 @@ class TestCertificateBuilder(object): datetime.datetime.now() ) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_aware_not_valid_before(self, backend): + time = datetime.datetime(2012, 1, 16, 22, 43) + tz = pytz.timezone("US/Pacific") + time = tz.localize(time) + utc_time = datetime.datetime(2012, 1, 17, 6, 43) + private_key = RSA_KEY_2048.private_key(backend) + cert_builder = x509.CertificateBuilder().not_valid_before(time) + cert_builder = cert_builder.subject_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).issuer_name( + x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) + ).serial_number( + 1 + ).public_key( + private_key.public_key() + ).not_valid_after( + utc_time + datetime.timedelta(days=366) + ) + + cert = cert_builder.sign(private_key, hashes.SHA256(), backend) + assert cert.not_valid_before == utc_time + def test_invalid_not_valid_before(self): with pytest.raises(TypeError): x509.CertificateBuilder().not_valid_before(104204304504) diff --git a/tests/test_x509_crlbuilder.py b/tests/test_x509_crlbuilder.py index 96311ee6..0d29a3ea 100644 --- a/tests/test_x509_crlbuilder.py +++ b/tests/test_x509_crlbuilder.py @@ -8,6 +8,8 @@ import datetime import pytest +import pytz + from cryptography import x509 from cryptography.hazmat.backends.interfaces import ( DSABackend, EllipticCurveBackend, RSABackend, X509Backend @@ -36,6 +38,24 @@ class TestCertificateRevocationListBuilder(object): x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')]) ) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_aware_last_update(self, backend): + last_time = datetime.datetime(2012, 1, 16, 22, 43) + tz = pytz.timezone("US/Pacific") + last_time = tz.localize(last_time) + utc_last = datetime.datetime(2012, 1, 17, 6, 43) + next_time = datetime.datetime(2022, 1, 17, 6, 43) + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateRevocationListBuilder().issuer_name( + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") + ]) + ).last_update(last_time).next_update(next_time) + + crl = builder.sign(private_key, hashes.SHA256(), backend) + assert crl.last_update == utc_last + def test_last_update_invalid(self): builder = x509.CertificateRevocationListBuilder() with pytest.raises(TypeError): @@ -53,6 +73,24 @@ class TestCertificateRevocationListBuilder(object): with pytest.raises(ValueError): builder.last_update(datetime.datetime(2002, 1, 1, 12, 1)) + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_aware_next_update(self, backend): + next_time = datetime.datetime(2022, 1, 16, 22, 43) + tz = pytz.timezone("US/Pacific") + next_time = tz.localize(next_time) + utc_next = datetime.datetime(2022, 1, 17, 6, 43) + last_time = datetime.datetime(2012, 1, 17, 6, 43) + private_key = RSA_KEY_2048.private_key(backend) + builder = x509.CertificateRevocationListBuilder().issuer_name( + x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA") + ]) + ).last_update(last_time).next_update(next_time) + + crl = builder.sign(private_key, hashes.SHA256(), backend) + assert crl.next_update == utc_next + def test_next_update_invalid(self): builder = x509.CertificateRevocationListBuilder() with pytest.raises(TypeError): diff --git a/tests/test_x509_revokedcertbuilder.py b/tests/test_x509_revokedcertbuilder.py index bd64b600..e3a06509 100644 --- a/tests/test_x509_revokedcertbuilder.py +++ b/tests/test_x509_revokedcertbuilder.py @@ -8,6 +8,8 @@ import datetime import pytest +import pytz + from cryptography import x509 from cryptography.hazmat.backends.interfaces import X509Backend @@ -58,6 +60,22 @@ class TestRevokedCertificateBuilder(object): with pytest.raises(ValueError): builder.serial_number(4) + @pytest.mark.requires_backend_interface(interface=X509Backend) + def test_aware_revocation_date(self, backend): + time = datetime.datetime(2012, 1, 16, 22, 43) + tz = pytz.timezone("US/Pacific") + time = tz.localize(time) + utc_time = datetime.datetime(2012, 1, 17, 6, 43) + serial_number = 333 + builder = x509.RevokedCertificateBuilder().serial_number( + serial_number + ).revocation_date( + time + ) + + revoked_certificate = builder.build(backend) + assert revoked_certificate.revocation_date == utc_time + def test_revocation_date_invalid(self): with pytest.raises(TypeError): x509.RevokedCertificateBuilder().revocation_date("notadatetime") |