ipalib: fix the IPACertificate validity dates

The class IPACertificate builds objects from x509 Certificate objects and creates the not_valid_before and not_valid_after values by converting to a timestamp + applying timezone delta to UTC + reading from the timestamp. This results in applying twice the delta. Use a simpler method that replaces the timezone info with UTC in the datetime object. Fixes: https://pagure.io/freeipa/issue/9462 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2023-10-09 13:54:17 +02:00 · 2023-10-09 13:54:17 +02:00 · b6af3a43c7
commit b6af3a43c7
parent 62454574a1
2 changed files with 27 additions and 4 deletions
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@ -266,13 +266,11 @@ class IPACertificate(crypto_x509.Certificate):

    @property
    def not_valid_before(self):
-        return datetime.datetime.fromtimestamp(
-            self._cert.not_valid_before.timestamp(), tz=datetime.timezone.utc)
+        return self._cert.not_valid_before.replace(tzinfo=datetime.timezone.utc)

    @property
    def not_valid_after(self):
-        return datetime.datetime.fromtimestamp(
-            self._cert.not_valid_after.timestamp(), tz=datetime.timezone.utc)
+        return self._cert.not_valid_after.replace(tzinfo=datetime.timezone.utc)

    @property
    def tbs_certificate_bytes(self):
--- a/ipatests/test_ipalib/test_x509.py
+++ b/ipatests/test_ipalib/test_x509.py
@ -26,6 +26,7 @@ from binascii import hexlify
 from configparser import RawConfigParser
 import datetime
 from io import StringIO
+import os
 import pickle

 import pytest
@ -253,6 +254,30 @@ class test_x509:
            b'+\x06\x01\x05\x05\x07\x03\x01'
        )

+    def test_cert_with_timezone(self):
+        """
+        Test the not_before and not_after values in a diffent timezone
+
+        Test for https://pagure.io/freeipa/issue/9462
+        """
+        # Store initial timezone, then set to New York
+        tz = os.environ.get('TZ', None)
+        os.environ['TZ'] = 'America/New_York'
+        # Load the cert, extract not before and not after
+        cert = x509.load_pem_x509_certificate(goodcert_headers)
+        not_before = datetime.datetime(2010, 6, 25, 13, 0, 42, 0,
+                                       datetime.timezone.utc)
+        not_after = datetime.datetime(2015, 6, 25, 13, 0, 42, 0,
+                                      datetime.timezone.utc)
+        # Reset timezone to previous value
+        if tz:
+            os.environ['TZ'] = tz
+        else:
+            del os.environ['TZ']
+        # ensure the timezone doesn't mess with not_before and not_after
+        assert cert.not_valid_before == not_before
+        assert cert.not_valid_after == not_after
+
    def test_load_pkcs7_pem(self):
        certlist = x509.pkcs7_to_certs(good_pkcs7, datatype=x509.PEM)
        assert len(certlist) == 1