From 8e66ca6813016d9fc6f57d5f1e50530fc39f78ae Mon Sep 17 00:00:00 2001 From: InvalidInterrupt Date: Tue, 16 Aug 2016 19:39:31 -0700 Subject: CertificateBuilder accepts aware datetimes for not_valid_after and not_valid_before (#2920) * CertificateBuilder accepts aware datetimes for not_valid_after and not_valid_before These functions now accept aware datetimes and convert them to UTC * Added pytz to test requirements * Correct pep8 error and improve Changelog wording * Improve tests and clarify changelog message * Trim Changelog line length * Allow RevokedCertificateBuilder and CertificateRevocationListBuilder to accept aware datetimes * Fix accidental changelog entry --- src/cryptography/x509/base.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'src') diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py index 5c4e3aad..156bc493 100644 --- a/src/cryptography/x509/base.py +++ b/src/cryptography/x509/base.py @@ -19,6 +19,20 @@ from cryptography.x509.name import Name _UNIX_EPOCH = datetime.datetime(1970, 1, 1) +def _convert_to_naive_utc_time(time): + """Normalizes a datetime to a naive datetime in UTC. + + time -- datetime to normalize. Assumed to be in UTC if not timezone + aware. + """ + if time.tzinfo is not None: + offset = time.utcoffset() + offset = offset if offset else datetime.timedelta() + return time.replace(tzinfo=None) - offset + else: + return time + + class Version(Enum): v1 = 0 v3 = 2 @@ -447,6 +461,7 @@ class CertificateBuilder(object): raise TypeError('Expecting datetime object.') if self._not_valid_before is not None: raise ValueError('The not valid before may only be set once.') + time = _convert_to_naive_utc_time(time) if time <= _UNIX_EPOCH: raise ValueError('The not valid before date must be after the unix' ' epoch (1970 January 1).') @@ -469,6 +484,7 @@ class CertificateBuilder(object): raise TypeError('Expecting datetime object.') if self._not_valid_after is not None: raise ValueError('The not valid after may only be set once.') + time = _convert_to_naive_utc_time(time) if time <= _UNIX_EPOCH: raise ValueError('The not valid after date must be after the unix' ' epoch (1970 January 1).') @@ -553,6 +569,7 @@ class CertificateRevocationListBuilder(object): raise TypeError('Expecting datetime object.') if self._last_update is not None: raise ValueError('Last update may only be set once.') + last_update = _convert_to_naive_utc_time(last_update) if last_update <= _UNIX_EPOCH: raise ValueError('The last update date must be after the unix' ' epoch (1970 January 1).') @@ -570,6 +587,7 @@ class CertificateRevocationListBuilder(object): raise TypeError('Expecting datetime object.') if self._next_update is not None: raise ValueError('Last update may only be set once.') + next_update = _convert_to_naive_utc_time(next_update) if next_update <= _UNIX_EPOCH: raise ValueError('The last update date must be after the unix' ' epoch (1970 January 1).') @@ -655,6 +673,7 @@ class RevokedCertificateBuilder(object): raise TypeError('Expecting datetime object.') if self._revocation_date is not None: raise ValueError('The revocation date may only be set once.') + time = _convert_to_naive_utc_time(time) if time <= _UNIX_EPOCH: raise ValueError('The revocation date must be after the unix' ' epoch (1970 January 1).') -- cgit v1.2.3