diff options
| author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2015-12-13 21:34:03 -0700 |
|---|---|---|
| committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2015-12-13 21:35:34 -0700 |
| commit | f328b31b65994393618ebc88057efd871b3a848b (patch) | |
| tree | 371358d9f142088fbab8f4614a20ea9f32fb21fb | |
| parent | 06042de08fb9ff549b9c9cb7244e7f27ff57eece (diff) | |
| download | cryptography-f328b31b65994393618ebc88057efd871b3a848b.tar.gz cryptography-f328b31b65994393618ebc88057efd871b3a848b.tar.bz2 cryptography-f328b31b65994393618ebc88057efd871b3a848b.zip | |
require not_valid_after >= not_valid_before
| -rw-r--r-- | src/cryptography/x509/base.py | 11 | ||||
| -rw-r--r-- | tests/test_x509.py | 22 |
2 files changed, 33 insertions, 0 deletions
diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index c56ca5ee..49761046 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -436,6 +436,11 @@ class CertificateBuilder(object): if time <= _UNIX_EPOCH: raise ValueError('The not valid before date must be after the unix' ' epoch (1970 January 1).') + if self._not_valid_after is not None and time > self._not_valid_after: + raise ValueError( + 'The not valid before date must be before the not valid after ' + 'date.' + ) return CertificateBuilder( self._issuer_name, self._subject_name, self._public_key, self._serial_number, time, @@ -453,6 +458,12 @@ class CertificateBuilder(object): if time <= _UNIX_EPOCH: raise ValueError('The not valid after date must be after the unix' ' epoch (1970 January 1).') + if (self._not_valid_before is not None and + time < self._not_valid_before): + raise ValueError( + 'The not valid after date must be after the not valid before ' + 'date.' + ) return CertificateBuilder( self._issuer_name, self._subject_name, self._public_key, self._serial_number, self._not_valid_before, diff --git a/tests/test_x509.py b/tests/test_x509.py index 0a1870d5..86f771b3 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -1437,6 +1437,28 @@ class TestCertificateBuilder(object): with pytest.raises(ValueError): builder.subject_name(name) + def test_not_valid_before_after_not_valid_after(self): + builder = x509.CertificateBuilder() + + builder = builder.not_valid_after( + datetime.datetime(2002, 1, 1, 12, 1) + ) + with pytest.raises(ValueError): + builder.not_valid_before( + datetime.datetime(2003, 1, 1, 12, 1) + ) + + def test_not_valid_after_before_not_valid_before(self): + builder = x509.CertificateBuilder() + + builder = builder.not_valid_before( + datetime.datetime(2002, 1, 1, 12, 1) + ) + with pytest.raises(ValueError): + builder.not_valid_after( + datetime.datetime(2001, 1, 1, 12, 1) + ) + @pytest.mark.requires_backend_interface(interface=RSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_public_key_must_be_public_key(self, backend): |