From 4784cf2dac3b6a10f4747423ee8c7f912804feb2 Mon Sep 17 00:00:00 2001
From: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
Date: Mon, 13 Dec 2021 13:13:52 -0800
Subject: mozilla/certdata2pem.py: use UTC time when checking cert validity

x509.not_valid_after returns naive UTC datetime and so does
datetime.utcnow(), so keep the time consistent when performing the
comparison.

Fixes: 8033d5225917 ("mozilla/certdata2pem.py: print a warning for expired certificates.")
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
---
 mozilla/certdata2pem.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
index ede23d4..3bd24f3 100644
--- a/mozilla/certdata2pem.py
+++ b/mozilla/certdata2pem.py
@@ -123,7 +123,7 @@ for obj in objects:
             continue
 
         cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
-        if cert.not_valid_after < datetime.datetime.now():
+        if cert.not_valid_after < datetime.datetime.utcnow():
             print('!'*74)
             print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
             print('!'*74)
-- 
cgit v1.2.1