From f328b31b65994393618ebc88057efd871b3a848b Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 13 Dec 2015 21:34:03 -0700
Subject: require not_valid_after >= not_valid_before

---
 src/cryptography/x509/base.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'src')

diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py
index c56ca5ee..49761046 100644
--- a/src/cryptography/x509/base.py
+++ b/src/cryptography/x509/base.py
@@ -436,6 +436,11 @@ class CertificateBuilder(object):
         if time <= _UNIX_EPOCH:
             raise ValueError('The not valid before date must be after the unix'
                              ' epoch (1970 January 1).')
+        if self._not_valid_after is not None and time > self._not_valid_after:
+            raise ValueError(
+                'The not valid before date must be before the not valid after '
+                'date.'
+            )
         return CertificateBuilder(
             self._issuer_name, self._subject_name,
             self._public_key, self._serial_number, time,
@@ -453,6 +458,12 @@ class CertificateBuilder(object):
         if time <= _UNIX_EPOCH:
             raise ValueError('The not valid after date must be after the unix'
                              ' epoch (1970 January 1).')
+        if (self._not_valid_before is not None and
+                time < self._not_valid_before):
+            raise ValueError(
+                'The not valid after date must be after the not valid before '
+                'date.'
+            )
         return CertificateBuilder(
             self._issuer_name, self._subject_name,
             self._public_key, self._serial_number, self._not_valid_before,
-- 
cgit v1.2.3