From e15e60a587efcddd61e391a8e5917291c98d554e Mon Sep 17 00:00:00 2001
From: Thomas Sileo <tsileo@users.noreply.github.com>
Date: Tue, 22 Nov 2016 18:13:30 +0100
Subject: Add the ability to set a custom verification time on X509Store (#567)

---
 CHANGELOG.rst         |  3 ++-
 setup.py              |  2 +-
 src/OpenSSL/crypto.py | 22 ++++++++++++++++++++++
 tests/test_crypto.py  | 21 +++++++++++++++++++++
 tox.ini               |  2 +-
 5 files changed, 47 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index efc008b..19cebf1 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -23,7 +23,8 @@ Deprecations:
 Changes:
 ^^^^^^^^
 
-*none*
+- Added ``OpenSSL.X509Store.set_time()`` to set a custom verification time when verifying certificate chains.
+  `#567 <https://github.com/pyca/pyopenssl/pull/567>`_
 
 
 ----
diff --git a/setup.py b/setup.py
index d4c27ad..4cdf59e 100755
--- a/setup.py
+++ b/setup.py
@@ -95,7 +95,7 @@ if __name__ == "__main__":
         package_dir={"": "src"},
         install_requires=[
             # Fix cryptographyMinimum in tox.ini when changing this!
-            "cryptography>=1.3.4",
+            "cryptography>=1.6",
             "six>=1.5.2"
         ],
     )
diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py
index 79440d7..3c8b26b 100644
--- a/src/OpenSSL/crypto.py
+++ b/src/OpenSSL/crypto.py
@@ -1520,6 +1520,28 @@ class X509Store(object):
         """
         _openssl_assert(_lib.X509_STORE_set_flags(self._store, flags) != 0)
 
+    def set_time(self, vfy_time):
+        """
+        Set the time against which the certificates are verified.
+
+        Normally the current time is used.
+
+        .. note::
+
+          For example, you can determine if a certificate was valid at a given
+          time.
+
+        .. versionadded:: 16.3.0
+
+        :param datetime vfy_time: The verification time to set on this store.
+        :return: ``None`` if the verification time was successfully set.
+        """
+        param = _lib.X509_VERIFY_PARAM_new()
+        param = _ffi.gc(param, _lib.X509_VERIFY_PARAM_free)
+
+        _lib.X509_VERIFY_PARAM_set_time(param, int(vfy_time.strftime('%s')))
+        _openssl_assert(_lib.X509_STORE_set1_param(self._store, param) != 0)
+
 
 X509StoreType = X509Store
 
diff --git a/tests/test_crypto.py b/tests/test_crypto.py
index e75e3ad..e4cf496 100644
--- a/tests/test_crypto.py
+++ b/tests/test_crypto.py
@@ -3728,6 +3728,27 @@ class X509StoreContextTests(TestCase):
         store_ctx.set_store(store_good)
         self.assertEqual(store_ctx.verify_certificate(), None)
 
+    def test_verify_with_time(self):
+        """
+        `verify_certificate` raises error when the verification time is
+        set at notAfter.
+        """
+        store = X509Store()
+        store.add_cert(self.root_cert)
+        store.add_cert(self.intermediate_cert)
+
+        expire_time = self.intermediate_server_cert.get_notAfter()
+        expire_datetime = datetime.strptime(
+            expire_time.decode('utf-8'), '%Y%m%d%H%M%SZ'
+        )
+        store.set_time(expire_datetime)
+
+        store_ctx = X509StoreContext(store, self.intermediate_server_cert)
+        with pytest.raises(X509StoreContextError) as exc:
+            store_ctx.verify_certificate()
+
+        assert exc.value.args[0][2] == 'certificate has expired'
+
 
 class SignVerifyTests(TestCase):
     """
diff --git a/tox.ini b/tox.ini
index 964b88c..f323bb0 100644
--- a/tox.ini
+++ b/tox.ini
@@ -9,7 +9,7 @@ deps =
     coverage>=4.2
     pytest>=3.0.1
     cryptographyMaster: git+https://github.com/pyca/cryptography.git
-    cryptographyMinimum: cryptography<1.4
+    cryptographyMinimum: cryptography<1.7
 setenv =
     # Do not allow the executing environment to pollute the test environment
     # with extra packages.
-- 
cgit v1.2.1