cbef046169
- timezone shift in handling certificates (due to py3.12 adaptation) - 'reason' vs 'Reason' in PKI revocation JSON API response - allow removal of minlength attribute from a custom password policy Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
89 lines
3.2 KiB
Diff
89 lines
3.2 KiB
Diff
From d9ad56155e76f97ad9326d5c1bcc6e19eea3a0da Mon Sep 17 00:00:00 2001
|
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
Date: Mon, 9 Oct 2023 13:54:17 +0200
|
|
Subject: [PATCH] ipalib: fix the IPACertificate validity dates
|
|
|
|
The class IPACertificate builds objects from x509 Certificate
|
|
objects and creates the not_valid_before and not_valid_after values
|
|
by converting to a timestamp + applying timezone delta to UTC + reading
|
|
from the timestamp. This results in applying twice the delta.
|
|
|
|
Use a simpler method that replaces the timezone info with UTC in the
|
|
datetime object.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9462
|
|
|
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
---
|
|
ipalib/x509.py | 6 ++----
|
|
ipatests/test_ipalib/test_x509.py | 25 +++++++++++++++++++++++++
|
|
2 files changed, 27 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/ipalib/x509.py b/ipalib/x509.py
|
|
index 7396688ae..769d48007 100644
|
|
--- a/ipalib/x509.py
|
|
+++ b/ipalib/x509.py
|
|
@@ -266,13 +266,11 @@ class IPACertificate(crypto_x509.Certificate):
|
|
|
|
@property
|
|
def not_valid_before(self):
|
|
- return datetime.datetime.fromtimestamp(
|
|
- self._cert.not_valid_before.timestamp(), tz=datetime.timezone.utc)
|
|
+ return self._cert.not_valid_before.replace(tzinfo=datetime.timezone.utc)
|
|
|
|
@property
|
|
def not_valid_after(self):
|
|
- return datetime.datetime.fromtimestamp(
|
|
- self._cert.not_valid_after.timestamp(), tz=datetime.timezone.utc)
|
|
+ return self._cert.not_valid_after.replace(tzinfo=datetime.timezone.utc)
|
|
|
|
@property
|
|
def tbs_certificate_bytes(self):
|
|
diff --git a/ipatests/test_ipalib/test_x509.py b/ipatests/test_ipalib/test_x509.py
|
|
index c25e8a0b5..74287c84a 100644
|
|
--- a/ipatests/test_ipalib/test_x509.py
|
|
+++ b/ipatests/test_ipalib/test_x509.py
|
|
@@ -26,6 +26,7 @@ from binascii import hexlify
|
|
from configparser import RawConfigParser
|
|
import datetime
|
|
from io import StringIO
|
|
+import os
|
|
import pickle
|
|
|
|
import pytest
|
|
@@ -253,6 +254,30 @@ class test_x509:
|
|
b'+\x06\x01\x05\x05\x07\x03\x01'
|
|
)
|
|
|
|
+ def test_cert_with_timezone(self):
|
|
+ """
|
|
+ Test the not_before and not_after values in a diffent timezone
|
|
+
|
|
+ Test for https://pagure.io/freeipa/issue/9462
|
|
+ """
|
|
+ # Store initial timezone, then set to New York
|
|
+ tz = os.environ.get('TZ', None)
|
|
+ os.environ['TZ'] = 'America/New_York'
|
|
+ # Load the cert, extract not before and not after
|
|
+ cert = x509.load_pem_x509_certificate(goodcert_headers)
|
|
+ not_before = datetime.datetime(2010, 6, 25, 13, 0, 42, 0,
|
|
+ datetime.timezone.utc)
|
|
+ not_after = datetime.datetime(2015, 6, 25, 13, 0, 42, 0,
|
|
+ datetime.timezone.utc)
|
|
+ # Reset timezone to previous value
|
|
+ if tz:
|
|
+ os.environ['TZ'] = tz
|
|
+ else:
|
|
+ del os.environ['TZ']
|
|
+ # ensure the timezone doesn't mess with not_before and not_after
|
|
+ assert cert.not_valid_before == not_before
|
|
+ assert cert.not_valid_after == not_after
|
|
+
|
|
def test_load_pkcs7_pem(self):
|
|
certlist = x509.pkcs7_to_certs(good_pkcs7, datatype=x509.PEM)
|
|
assert len(certlist) == 1
|
|
--
|
|
2.41.0
|
|
|