CertificateBuilder accepts aware datetimes for not_valid_after and not_valid_before (#2920)

* CertificateBuilder accepts aware datetimes for not_valid_after and not_valid_before
These functions now accept aware datetimes and convert them to UTC

* Added pytz to test requirements

* Correct pep8 error and improve Changelog wording

* Improve tests and clarify changelog message

* Trim Changelog line length

* Allow RevokedCertificateBuilder and CertificateRevocationListBuilder to accept aware datetimes

* Fix accidental changelog entry

3 files changed, 106 insertions, 0 deletions

diff --git a/tests/test_x509.py b/tests/test_x509.py
index 1ce8c611..b1d627c3 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -16,6 +16,8 @@ from pyasn1_modules import rfc2459
 
 import pytest
 
+import pytz
+
 import six
 
 from cryptography import utils, x509
@@ -1745,6 +1747,30 @@ class TestCertificateBuilder(object):
         with pytest.raises(ValueError):
             builder.serial_number(20)
 
+    @pytest.mark.requires_backend_interface(interface=RSABackend)
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_aware_not_valid_after(self, backend):
+        time = datetime.datetime(2012, 1, 16, 22, 43)
+        tz = pytz.timezone("US/Pacific")
+        time = tz.localize(time)
+        utc_time = datetime.datetime(2012, 1, 17, 6, 43)
+        private_key = RSA_KEY_2048.private_key(backend)
+        cert_builder = x509.CertificateBuilder().not_valid_after(time)
+        cert_builder = cert_builder.subject_name(
+            x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
+        ).issuer_name(
+            x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
+        ).serial_number(
+            1
+        ).public_key(
+            private_key.public_key()
+        ).not_valid_before(
+            utc_time - datetime.timedelta(days=365)
+        )
+
+        cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
+        assert cert.not_valid_after == utc_time
+
     def test_invalid_not_valid_after(self):
         with pytest.raises(TypeError):
             x509.CertificateBuilder().not_valid_after(104204304504)
@@ -1767,6 +1793,30 @@ class TestCertificateBuilder(object):
                 datetime.datetime.now()
             )
 
+    @pytest.mark.requires_backend_interface(interface=RSABackend)
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_aware_not_valid_before(self, backend):
+        time = datetime.datetime(2012, 1, 16, 22, 43)
+        tz = pytz.timezone("US/Pacific")
+        time = tz.localize(time)
+        utc_time = datetime.datetime(2012, 1, 17, 6, 43)
+        private_key = RSA_KEY_2048.private_key(backend)
+        cert_builder = x509.CertificateBuilder().not_valid_before(time)
+        cert_builder = cert_builder.subject_name(
+            x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
+        ).issuer_name(
+            x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
+        ).serial_number(
+            1
+        ).public_key(
+            private_key.public_key()
+        ).not_valid_after(
+            utc_time + datetime.timedelta(days=366)
+        )
+
+        cert = cert_builder.sign(private_key, hashes.SHA256(), backend)
+        assert cert.not_valid_before == utc_time
+
     def test_invalid_not_valid_before(self):
         with pytest.raises(TypeError):
             x509.CertificateBuilder().not_valid_before(104204304504)
diff --git a/tests/test_x509_crlbuilder.py b/tests/test_x509_crlbuilder.py
index 96311ee6..0d29a3ea 100644
--- a/tests/test_x509_crlbuilder.py
+++ b/tests/test_x509_crlbuilder.py
@@ -8,6 +8,8 @@ import datetime
 
 import pytest
 
+import pytz
+
 from cryptography import x509
 from cryptography.hazmat.backends.interfaces import (
     DSABackend, EllipticCurveBackend, RSABackend, X509Backend
@@ -36,6 +38,24 @@ class TestCertificateRevocationListBuilder(object):
                 x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u'US')])
             )
 
+    @pytest.mark.requires_backend_interface(interface=RSABackend)
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_aware_last_update(self, backend):
+        last_time = datetime.datetime(2012, 1, 16, 22, 43)
+        tz = pytz.timezone("US/Pacific")
+        last_time = tz.localize(last_time)
+        utc_last = datetime.datetime(2012, 1, 17, 6, 43)
+        next_time = datetime.datetime(2022, 1, 17, 6, 43)
+        private_key = RSA_KEY_2048.private_key(backend)
+        builder = x509.CertificateRevocationListBuilder().issuer_name(
+            x509.Name([
+                x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
+            ])
+        ).last_update(last_time).next_update(next_time)
+
+        crl = builder.sign(private_key, hashes.SHA256(), backend)
+        assert crl.last_update == utc_last
+
     def test_last_update_invalid(self):
         builder = x509.CertificateRevocationListBuilder()
         with pytest.raises(TypeError):
@@ -53,6 +73,24 @@ class TestCertificateRevocationListBuilder(object):
         with pytest.raises(ValueError):
             builder.last_update(datetime.datetime(2002, 1, 1, 12, 1))
 
+    @pytest.mark.requires_backend_interface(interface=RSABackend)
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_aware_next_update(self, backend):
+        next_time = datetime.datetime(2022, 1, 16, 22, 43)
+        tz = pytz.timezone("US/Pacific")
+        next_time = tz.localize(next_time)
+        utc_next = datetime.datetime(2022, 1, 17, 6, 43)
+        last_time = datetime.datetime(2012, 1, 17, 6, 43)
+        private_key = RSA_KEY_2048.private_key(backend)
+        builder = x509.CertificateRevocationListBuilder().issuer_name(
+            x509.Name([
+                x509.NameAttribute(NameOID.COMMON_NAME, u"cryptography.io CA")
+            ])
+        ).last_update(last_time).next_update(next_time)
+
+        crl = builder.sign(private_key, hashes.SHA256(), backend)
+        assert crl.next_update == utc_next
+
     def test_next_update_invalid(self):
         builder = x509.CertificateRevocationListBuilder()
         with pytest.raises(TypeError):
diff --git a/tests/test_x509_revokedcertbuilder.py b/tests/test_x509_revokedcertbuilder.py
index bd64b600..e3a06509 100644
--- a/tests/test_x509_revokedcertbuilder.py
+++ b/tests/test_x509_revokedcertbuilder.py
@@ -8,6 +8,8 @@ import datetime
 
 import pytest
 
+import pytz
+
 from cryptography import x509
 from cryptography.hazmat.backends.interfaces import X509Backend
 
@@ -58,6 +60,22 @@ class TestRevokedCertificateBuilder(object):
         with pytest.raises(ValueError):
             builder.serial_number(4)
 
+    @pytest.mark.requires_backend_interface(interface=X509Backend)
+    def test_aware_revocation_date(self, backend):
+        time = datetime.datetime(2012, 1, 16, 22, 43)
+        tz = pytz.timezone("US/Pacific")
+        time = tz.localize(time)
+        utc_time = datetime.datetime(2012, 1, 17, 6, 43)
+        serial_number = 333
+        builder = x509.RevokedCertificateBuilder().serial_number(
+            serial_number
+        ).revocation_date(
+            time
+        )
+
+        revoked_certificate = builder.build(backend)
+        assert revoked_certificate.revocation_date == utc_time
+
     def test_revocation_date_invalid(self):
         with pytest.raises(TypeError):
             x509.RevokedCertificateBuilder().revocation_date("notadatetime")