diff options
| author | InvalidInterrupt <InvalidInterrupt@users.noreply.github.com> | 2016-08-16 19:39:31 -0700 | 
|---|---|---|
| committer | Alex Gaynor <alex.gaynor@gmail.com> | 2016-08-16 22:39:31 -0400 | 
| commit | 8e66ca6813016d9fc6f57d5f1e50530fc39f78ae (patch) | |
| tree | 630a57899cf44a6c98f7928c065da04f16504267 /src | |
| parent | dcbd220ee6b4e23f292897e1d6b1e26004ecfd64 (diff) | |
| download | cryptography-8e66ca6813016d9fc6f57d5f1e50530fc39f78ae.tar.gz cryptography-8e66ca6813016d9fc6f57d5f1e50530fc39f78ae.tar.bz2 cryptography-8e66ca6813016d9fc6f57d5f1e50530fc39f78ae.zip | |
CertificateBuilder accepts aware datetimes for not_valid_after and not_valid_before (#2920)
* CertificateBuilder accepts aware datetimes for not_valid_after and not_valid_before
These functions now accept aware datetimes and convert them to UTC
* Added pytz to test requirements
* Correct pep8 error and improve Changelog wording
* Improve tests and clarify changelog message
* Trim Changelog line length
* Allow RevokedCertificateBuilder and CertificateRevocationListBuilder to accept aware datetimes
* Fix accidental changelog entry
Diffstat (limited to 'src')
| -rw-r--r-- | src/cryptography/x509/base.py | 19 | 
1 files changed, 19 insertions, 0 deletions
| diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index 5c4e3aad..156bc493 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -19,6 +19,20 @@ from cryptography.x509.name import Name  _UNIX_EPOCH = datetime.datetime(1970, 1, 1) +def _convert_to_naive_utc_time(time): +    """Normalizes a datetime to a naive datetime in UTC. + +    time -- datetime to normalize. Assumed to be in UTC if not timezone +            aware. +    """ +    if time.tzinfo is not None: +        offset = time.utcoffset() +        offset = offset if offset else datetime.timedelta() +        return time.replace(tzinfo=None) - offset +    else: +        return time + +  class Version(Enum):      v1 = 0      v3 = 2 @@ -447,6 +461,7 @@ class CertificateBuilder(object):              raise TypeError('Expecting datetime object.')          if self._not_valid_before is not None:              raise ValueError('The not valid before may only be set once.') +        time = _convert_to_naive_utc_time(time)          if time <= _UNIX_EPOCH:              raise ValueError('The not valid before date must be after the unix'                               ' epoch (1970 January 1).') @@ -469,6 +484,7 @@ class CertificateBuilder(object):              raise TypeError('Expecting datetime object.')          if self._not_valid_after is not None:              raise ValueError('The not valid after may only be set once.') +        time = _convert_to_naive_utc_time(time)          if time <= _UNIX_EPOCH:              raise ValueError('The not valid after date must be after the unix'                               ' epoch (1970 January 1).') @@ -553,6 +569,7 @@ class CertificateRevocationListBuilder(object):              raise TypeError('Expecting datetime object.')          if self._last_update is not None:              raise ValueError('Last update may only be set once.') +        last_update = _convert_to_naive_utc_time(last_update)          if last_update <= _UNIX_EPOCH:              raise ValueError('The last update date must be after the unix'                               ' epoch (1970 January 1).') @@ -570,6 +587,7 @@ class CertificateRevocationListBuilder(object):              raise TypeError('Expecting datetime object.')          if self._next_update is not None:              raise ValueError('Last update may only be set once.') +        next_update = _convert_to_naive_utc_time(next_update)          if next_update <= _UNIX_EPOCH:              raise ValueError('The last update date must be after the unix'                               ' epoch (1970 January 1).') @@ -655,6 +673,7 @@ class RevokedCertificateBuilder(object):              raise TypeError('Expecting datetime object.')          if self._revocation_date is not None:              raise ValueError('The revocation date may only be set once.') +        time = _convert_to_naive_utc_time(time)          if time <= _UNIX_EPOCH:              raise ValueError('The revocation date must be after the unix'                               ' epoch (1970 January 1).') | 
