Skip to content

verification: add test_verify_tz_aware #10229

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jan 22, 2024
Merged

verification: add test_verify_tz_aware #10229

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7951efe
verification: add test_verify_tz_aware
woodruffw Jan 22, 2024
4a81f0e
py_to_datetime handles tzinfo, add test
woodruffw Jan 22, 2024
9c79913
Update src/rust/src/x509/common.rs
woodruffw Jan 22, 2024
c69e9b0
x509/common: coverage for the coverage god
woodruffw Jan 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 15 additions & 6 deletions src/rust/src/x509/common.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -503,13 +503,22 @@ pub(crate) fn py_to_datetime(
py: pyo3::Python<'_>,
val: &pyo3::PyAny,
) -> pyo3::PyResult<asn1::DateTime> {
// We treat naive datetimes as UTC times, while aware datetimes get
// normalized to UTC before conversion.
let val_utc = if val.getattr(pyo3::intern!(py, "tzinfo"))?.is_none() {
val
} else {
let utc = types::DATETIME_TIMEZONE_UTC.get(py)?;
val.call_method1(pyo3::intern!(py, "astimezone"), (utc,))?
};

Ok(asn1::DateTime::new(
val.getattr(pyo3::intern!(py, "year"))?.extract()?,
val.getattr(pyo3::intern!(py, "month"))?.extract()?,
val.getattr(pyo3::intern!(py, "day"))?.extract()?,
val.getattr(pyo3::intern!(py, "hour"))?.extract()?,
val.getattr(pyo3::intern!(py, "minute"))?.extract()?,
val.getattr(pyo3::intern!(py, "second"))?.extract()?,
val_utc.getattr(pyo3::intern!(py, "year"))?.extract()?,
val_utc.getattr(pyo3::intern!(py, "month"))?.extract()?,
val_utc.getattr(pyo3::intern!(py, "day"))?.extract()?,
val_utc.getattr(pyo3::intern!(py, "hour"))?.extract()?,
val_utc.getattr(pyo3::intern!(py, "minute"))?.extract()?,
val_utc.getattr(pyo3::intern!(py, "second"))?.extract()?,
)
.unwrap())
}
Expand Down
35 changes: 35 additions & 0 deletions tests/x509/verification/test_verification.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,3 +103,38 @@ def test_store_rejects_empty_list(self):
def test_store_rejects_non_certificates(self):
with pytest.raises(TypeError):
Store(["not a cert"]) # type: ignore[list-item]


class TestServerVerifier:
@pytest.mark.parametrize(
("validation_time", "valid"),
[
# 03:15:02 UTC+2, or 1 second before expiry in UTC
("2018-11-16T03:15:02+02:00", True),
# 00:15:04 UTC-1, or 1 second after expiry in UTC
("2018-11-16T00:15:04-01:00", False),
],
)
def test_verify_tz_aware(self, validation_time, valid):
# expires 2018-11-16 01:15:03 UTC
leaf = _load_cert(
os.path.join("x509", "cryptography.io.pem"),
x509.load_pem_x509_certificate,
)

store = Store([leaf])

builder = PolicyBuilder().store(store)
builder = builder.time(
datetime.datetime.fromisoformat(validation_time)
)
verifier = builder.build_server_verifier(DNSName("cryptography.io"))

if valid:
assert verifier.verify(leaf, []) == [leaf]
else:
with pytest.raises(
x509.verification.VerificationError,
match="cert is not valid at validation time",
):
verifier.verify(leaf, [])