From fc18f7bed12f58100c3a5eef3dbae29c9a26f18a Mon Sep 17 00:00:00 2001 From: Jeff Tang Date: Wed, 15 Apr 2015 17:42:33 -0400 Subject: [PATCH] OpenSSL 1.0.2 Compatibility - Perform the time comparison in python to fix #192 - Add root cert has_expired test - Self sign test cert to fix issue in #149 - Change test case to verify digest of a valid certficate --- OpenSSL/crypto.py | 9 +++++---- OpenSSL/test/test_crypto.py | 15 +++++++++++++-- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/OpenSSL/crypto.py b/OpenSSL/crypto.py index c7bdabc..1b1058e 100644 --- a/OpenSSL/crypto.py +++ b/OpenSSL/crypto.py @@ -1,5 +1,6 @@ -from time import time +from time import time, strptime from base64 import b16encode +from calendar import timegm from functools import partial from operator import __eq__, __ne__, __lt__, __le__, __gt__, __ge__ from warnings import warn as _warn @@ -1161,10 +1162,10 @@ def has_expired(self): :return: True if the certificate has expired, false otherwise """ now = int(time()) - notAfter = _lib.X509_get_notAfter(self._x509) - return _lib.ASN1_UTCTIME_cmp_time_t( - _ffi.cast('ASN1_UTCTIME*', notAfter), now) < 0 + notAfter = self.get_notAfter().decode('utf-8') + notAfterSecs = timegm(strptime(notAfter, '%Y%m%d%H%M%SZ')) + return now > notAfterSecs def _get_boundary_time(self, which): return _get_asn1_time(which(self._x509)) diff --git a/OpenSSL/test/test_crypto.py b/OpenSSL/test/test_crypto.py index 73e9cc7..b817451 100644 --- a/OpenSSL/test/test_crypto.py +++ b/OpenSSL/test/test_crypto.py @@ -1562,19 +1562,29 @@ def test_has_not_expired(self): cert.gmtime_adj_notAfter(2) self.assertFalse(cert.has_expired()) + def test_root_has_not_expired(self): + """ + :py:obj:`X509Type.has_expired` returns :py:obj:`False` if the certificate's not-after + time is in the future. + """ + cert = load_certificate(FILETYPE_PEM, root_cert_pem) + self.assertFalse(cert.has_expired()) + def test_digest(self): """ :py:obj:`X509.digest` returns a string giving ":"-separated hex-encoded words of the digest of the certificate. """ - cert = X509() + cert = load_certificate(FILETYPE_PEM, root_cert_pem) self.assertEqual( # This is MD5 instead of GOOD_DIGEST because the digest algorithm # actually matters to the assertion (ie, another arbitrary, good # digest will not product the same digest). + # Digest verified with the command: + # openssl x509 -in root_cert.pem -noout -fingerprint -md5 cert.digest("MD5"), - b("A8:EB:07:F8:53:25:0A:F2:56:05:C5:A5:C4:C4:C7:15")) + b("19:B3:05:26:2B:F8:F2:FF:0B:8F:21:07:A8:28:B8:75")) def _extcert(self, pkey, extensions): @@ -1587,6 +1597,7 @@ def _extcert(self, pkey, extensions): cert.set_notAfter(when) cert.add_extensions(extensions) + cert.sign(pkey, 'sha1') return load_certificate( FILETYPE_PEM, dump_certificate(FILETYPE_PEM, cert))