From d9ad56155e76f97ad9326d5c1bcc6e19eea3a0da Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 9 Oct 2023 13:54:17 +0200
Subject: [PATCH] ipalib: fix the IPACertificate validity dates

The class IPACertificate builds objects from x509 Certificate
objects and creates the not_valid_before and not_valid_after values
by converting to a timestamp + applying timezone delta to UTC + reading
from the timestamp. This results in applying twice the delta.

Use a simpler method that replaces the timezone info with UTC in the
datetime object.

Fixes: https://pagure.io/freeipa/issue/9462

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipalib/x509.py                    |  6 ++----
 ipatests/test_ipalib/test_x509.py | 25 +++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/ipalib/x509.py b/ipalib/x509.py
index 7396688ae60cff76069c7325bab69441babfb8a7..769d480077e0d167646424627f252c336336f531 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -266,13 +266,11 @@ class IPACertificate(crypto_x509.Certificate):
 
     @property
     def not_valid_before(self):
-        return datetime.datetime.fromtimestamp(
-            self._cert.not_valid_before.timestamp(), tz=datetime.timezone.utc)
+        return self._cert.not_valid_before.replace(tzinfo=datetime.timezone.utc)
 
     @property
     def not_valid_after(self):
-        return datetime.datetime.fromtimestamp(
-            self._cert.not_valid_after.timestamp(), tz=datetime.timezone.utc)
+        return self._cert.not_valid_after.replace(tzinfo=datetime.timezone.utc)
 
     @property
     def tbs_certificate_bytes(self):
diff --git a/ipatests/test_ipalib/test_x509.py b/ipatests/test_ipalib/test_x509.py
index c25e8a0b5b6b918e50b155890fe20cfdd4d747c4..74287c84a581a800fa1c2700ad749fcacbc9d249 100644
--- a/ipatests/test_ipalib/test_x509.py
+++ b/ipatests/test_ipalib/test_x509.py
@@ -26,6 +26,7 @@ from binascii import hexlify
 from configparser import RawConfigParser
 import datetime
 from io import StringIO
+import os
 import pickle
 
 import pytest
@@ -253,6 +254,30 @@ class test_x509:
             b'+\x06\x01\x05\x05\x07\x03\x01'
         )
 
+    def test_cert_with_timezone(self):
+        """
+        Test the not_before and not_after values in a diffent timezone
+
+        Test for https://pagure.io/freeipa/issue/9462
+        """
+        # Store initial timezone, then set to New York
+        tz = os.environ.get('TZ', None)
+        os.environ['TZ'] = 'America/New_York'
+        # Load the cert, extract not before and not after
+        cert = x509.load_pem_x509_certificate(goodcert_headers)
+        not_before = datetime.datetime(2010, 6, 25, 13, 0, 42, 0,
+                                       datetime.timezone.utc)
+        not_after = datetime.datetime(2015, 6, 25, 13, 0, 42, 0,
+                                      datetime.timezone.utc)
+        # Reset timezone to previous value
+        if tz:
+            os.environ['TZ'] = tz
+        else:
+            del os.environ['TZ']
+        # ensure the timezone doesn't mess with not_before and not_after
+        assert cert.not_valid_before == not_before
+        assert cert.not_valid_after == not_after
+
     def test_load_pkcs7_pem(self):
         certlist = x509.pkcs7_to_certs(good_pkcs7, datatype=x509.PEM)
         assert len(certlist) == 1
-- 
2.41.0