diff options
| author | Paul Kehrer <paul.l.kehrer@gmail.com> | 2019-01-21 22:36:25 -0600 |
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2019-01-21 23:36:25 -0500 |
| commit | 767fa8511caade795457b23ea9d3d85af1ed12bb (patch) | |
| tree | 917394e703ca72b35c82b2c9b06e1db22c0363a5 /src/cryptography/hazmat/backends/openssl/backend.py | |
| parent | 5b3e735253d4cc1c7f51dedc11c9ca5eeb6f451f (diff) | |
| download | cryptography-767fa8511caade795457b23ea9d3d85af1ed12bb.tar.gz cryptography-767fa8511caade795457b23ea9d3d85af1ed12bb.tar.bz2 cryptography-767fa8511caade795457b23ea9d3d85af1ed12bb.zip | |
allow 32-bit platforms to encode certs with dates > unix epoch (#4727)
Previously we used unix timestamps, but now we are switching to using
ASN1_TIME_set_string and automatically formatting the string based on
the year. The rule is as follows:
Per RFC 5280 (section 4.1.2.5.), the valid input time
strings should be encoded with the following rules:
1. UTC: YYMMDDHHMMSSZ, if YY < 50 (20YY) --> UTC: YYMMDDHHMMSSZ
2. UTC: YYMMDDHHMMSSZ, if YY >= 50 (19YY) --> UTC: YYMMDDHHMMSSZ
3. G'd: YYYYMMDDHHMMSSZ, if YYYY >= 2050 --> G'd: YYYYMMDDHHMMSSZ
4. G'd: YYYYMMDDHHMMSSZ, if YYYY < 2050 --> UTC: YYMMDDHHMMSSZ
Notably, Dates < 1950 are not valid UTCTime. At the moment we still
reject dates < Jan 1, 1970 in all cases but a followup PR can fix
that.
Diffstat (limited to 'src/cryptography/hazmat/backends/openssl/backend.py')
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 21 |
1 files changed, 6 insertions, 15 deletions
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 1d1e0446..0a9bc53a 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -5,7 +5,6 @@ from __future__ import absolute_import, division, print_function import base64 -import calendar import collections import contextlib import itertools @@ -854,20 +853,12 @@ class Backend(object): return _Certificate(self, x509_cert) def _set_asn1_time(self, asn1_time, time): - timestamp = calendar.timegm(time.timetuple()) - res = self._lib.ASN1_TIME_set(asn1_time, timestamp) - if res == self._ffi.NULL: - errors = self._consume_errors() - self.openssl_assert( - errors[0]._lib_reason_match( - self._lib.ERR_LIB_ASN1, - self._lib.ASN1_R_ERROR_GETTING_TIME - ) - ) - raise ValueError( - "Invalid time. This error can occur if you set a time too far " - "in the future on Windows." - ) + if time.year >= 2050: + asn1_str = time.strftime('%Y%m%d%H%M%SZ').encode('ascii') + else: + asn1_str = time.strftime('%y%m%d%H%M%SZ').encode('ascii') + res = self._lib.ASN1_TIME_set_string(asn1_time, asn1_str) + self.openssl_assert(res == 1) def _create_asn1_time(self, time): asn1_time = self._lib.ASN1_TIME_new() |