diff options
| -rw-r--r-- | CHANGELOG.rst | 3 | ||||
| -rwxr-xr-x | setup.py | 2 | ||||
| -rw-r--r-- | src/OpenSSL/crypto.py | 22 | ||||
| -rw-r--r-- | tests/test_crypto.py | 21 | ||||
| -rw-r--r-- | tox.ini | 2 |
5 files changed, 47 insertions, 3 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index efc008b..19cebf1 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -23,7 +23,8 @@ Deprecations: Changes: ^^^^^^^^ -*none* +- Added ``OpenSSL.X509Store.set_time()`` to set a custom verification time when verifying certificate chains. + `#567 <https://github.com/pyca/pyopenssl/pull/567>`_ ---- @@ -95,7 +95,7 @@ if __name__ == "__main__": package_dir={"": "src"}, install_requires=[ # Fix cryptographyMinimum in tox.ini when changing this! - "cryptography>=1.3.4", + "cryptography>=1.6", "six>=1.5.2" ], ) diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py index 79440d7..3c8b26b 100644 --- a/src/OpenSSL/crypto.py +++ b/src/OpenSSL/crypto.py @@ -1520,6 +1520,28 @@ class X509Store(object): """ _openssl_assert(_lib.X509_STORE_set_flags(self._store, flags) != 0) + def set_time(self, vfy_time): + """ + Set the time against which the certificates are verified. + + Normally the current time is used. + + .. note:: + + For example, you can determine if a certificate was valid at a given + time. + + .. versionadded:: 16.3.0 + + :param datetime vfy_time: The verification time to set on this store. + :return: ``None`` if the verification time was successfully set. + """ + param = _lib.X509_VERIFY_PARAM_new() + param = _ffi.gc(param, _lib.X509_VERIFY_PARAM_free) + + _lib.X509_VERIFY_PARAM_set_time(param, int(vfy_time.strftime('%s'))) + _openssl_assert(_lib.X509_STORE_set1_param(self._store, param) != 0) + X509StoreType = X509Store diff --git a/tests/test_crypto.py b/tests/test_crypto.py index e75e3ad..e4cf496 100644 --- a/tests/test_crypto.py +++ b/tests/test_crypto.py @@ -3728,6 +3728,27 @@ class X509StoreContextTests(TestCase): store_ctx.set_store(store_good) self.assertEqual(store_ctx.verify_certificate(), None) + def test_verify_with_time(self): + """ + `verify_certificate` raises error when the verification time is + set at notAfter. + """ + store = X509Store() + store.add_cert(self.root_cert) + store.add_cert(self.intermediate_cert) + + expire_time = self.intermediate_server_cert.get_notAfter() + expire_datetime = datetime.strptime( + expire_time.decode('utf-8'), '%Y%m%d%H%M%SZ' + ) + store.set_time(expire_datetime) + + store_ctx = X509StoreContext(store, self.intermediate_server_cert) + with pytest.raises(X509StoreContextError) as exc: + store_ctx.verify_certificate() + + assert exc.value.args[0][2] == 'certificate has expired' + class SignVerifyTests(TestCase): """ @@ -9,7 +9,7 @@ deps = coverage>=4.2 pytest>=3.0.1 cryptographyMaster: git+https://github.com/pyca/cryptography.git - cryptographyMinimum: cryptography<1.4 + cryptographyMinimum: cryptography<1.7 setenv = # Do not allow the executing environment to pollute the test environment # with extra packages. |