84 lines
3.2 KiB
Diff
84 lines
3.2 KiB
Diff
From fc18f7bed12f58100c3a5eef3dbae29c9a26f18a Mon Sep 17 00:00:00 2001
|
|
From: Jeff Tang <mrjefftang@users.noreply.github.com>
|
|
Date: Wed, 15 Apr 2015 17:42:33 -0400
|
|
Subject: [PATCH] OpenSSL 1.0.2 Compatibility
|
|
|
|
- Perform the time comparison in python to fix #192
|
|
- Add root cert has_expired test
|
|
- Self sign test cert to fix issue in #149
|
|
- Change test case to verify digest of a valid certficate
|
|
---
|
|
OpenSSL/crypto.py | 9 +++++----
|
|
OpenSSL/test/test_crypto.py | 15 +++++++++++++--
|
|
2 files changed, 18 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/OpenSSL/crypto.py b/OpenSSL/crypto.py
|
|
index c7bdabc..1b1058e 100644
|
|
--- a/OpenSSL/crypto.py
|
|
+++ b/OpenSSL/crypto.py
|
|
@@ -1,5 +1,6 @@
|
|
-from time import time
|
|
+from time import time, strptime
|
|
from base64 import b16encode
|
|
+from calendar import timegm
|
|
from functools import partial
|
|
from operator import __eq__, __ne__, __lt__, __le__, __gt__, __ge__
|
|
from warnings import warn as _warn
|
|
@@ -1161,10 +1162,10 @@ def has_expired(self):
|
|
:return: True if the certificate has expired, false otherwise
|
|
"""
|
|
now = int(time())
|
|
- notAfter = _lib.X509_get_notAfter(self._x509)
|
|
- return _lib.ASN1_UTCTIME_cmp_time_t(
|
|
- _ffi.cast('ASN1_UTCTIME*', notAfter), now) < 0
|
|
+ notAfter = self.get_notAfter().decode('utf-8')
|
|
+ notAfterSecs = timegm(strptime(notAfter, '%Y%m%d%H%M%SZ'))
|
|
|
|
+ return now > notAfterSecs
|
|
|
|
def _get_boundary_time(self, which):
|
|
return _get_asn1_time(which(self._x509))
|
|
diff --git a/OpenSSL/test/test_crypto.py b/OpenSSL/test/test_crypto.py
|
|
index 73e9cc7..b817451 100644
|
|
--- a/OpenSSL/test/test_crypto.py
|
|
+++ b/OpenSSL/test/test_crypto.py
|
|
@@ -1562,19 +1562,29 @@ def test_has_not_expired(self):
|
|
cert.gmtime_adj_notAfter(2)
|
|
self.assertFalse(cert.has_expired())
|
|
|
|
+ def test_root_has_not_expired(self):
|
|
+ """
|
|
+ :py:obj:`X509Type.has_expired` returns :py:obj:`False` if the certificate's not-after
|
|
+ time is in the future.
|
|
+ """
|
|
+ cert = load_certificate(FILETYPE_PEM, root_cert_pem)
|
|
+ self.assertFalse(cert.has_expired())
|
|
+
|
|
|
|
def test_digest(self):
|
|
"""
|
|
:py:obj:`X509.digest` returns a string giving ":"-separated hex-encoded words
|
|
of the digest of the certificate.
|
|
"""
|
|
- cert = X509()
|
|
+ cert = load_certificate(FILETYPE_PEM, root_cert_pem)
|
|
self.assertEqual(
|
|
# This is MD5 instead of GOOD_DIGEST because the digest algorithm
|
|
# actually matters to the assertion (ie, another arbitrary, good
|
|
# digest will not product the same digest).
|
|
+ # Digest verified with the command:
|
|
+ # openssl x509 -in root_cert.pem -noout -fingerprint -md5
|
|
cert.digest("MD5"),
|
|
- b("A8:EB:07:F8:53:25:0A:F2:56:05:C5:A5:C4:C4:C7:15"))
|
|
+ b("19:B3:05:26:2B:F8:F2:FF:0B:8F:21:07:A8:28:B8:75"))
|
|
|
|
|
|
def _extcert(self, pkey, extensions):
|
|
@@ -1587,6 +1597,7 @@ def _extcert(self, pkey, extensions):
|
|
cert.set_notAfter(when)
|
|
|
|
cert.add_extensions(extensions)
|
|
+ cert.sign(pkey, 'sha1')
|
|
return load_certificate(
|
|
FILETYPE_PEM, dump_certificate(FILETYPE_PEM, cert))
|
|
|