Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow setting of cert's notBefore attribute #628

Merged
merged 1 commit into from
Oct 3, 2023
Merged

Allow setting of cert's notBefore attribute #628

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 10 additions & 1 deletion src/trustme/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@
# ~3001-01-19:
# https://github.com/pyca/cryptography/issues/3194
DEFAULT_EXPIRY = datetime.datetime(3000, 1, 1)
DEFAULT_NOT_BEFORE = datetime.datetime(2000, 1, 1)


def _name(name: str, organization_name: Optional[str] = None, common_name: Optional[str] = None) -> x509.Name:
name_pieces = [
Expand Down Expand Up @@ -64,14 +66,16 @@ def _cert_builder_common(
issuer: x509.Name,
public_key: CERTIFICATE_PUBLIC_KEY_TYPES,
not_after: Optional[datetime.datetime] = None,
not_before: Optional[datetime.datetime] = None,
) -> x509.CertificateBuilder:
not_after = not_after if not_after else DEFAULT_EXPIRY
not_before = not_before if not_before else DEFAULT_NOT_BEFORE
return (
x509.CertificateBuilder()
.subject_name(subject)
.issuer_name(issuer)
.public_key(public_key)
.not_valid_before(datetime.datetime(2000, 1, 1))
.not_valid_before(not_before)
.not_valid_after(not_after)
.serial_number(x509.random_serial_number())
.add_extension(
Expand Down Expand Up @@ -311,6 +315,7 @@ def issue_cert(
common_name: Optional[str] = None,
organization_name: Optional[str] = None,
organization_unit_name: Optional[str] = None,
not_before: Optional[datetime.datetime] = None,
not_after: Optional[datetime.datetime] = None,
key_type: KeyType = KeyType.ECDSA,
) -> "LeafCert":
Expand Down Expand Up @@ -351,6 +356,9 @@ def issue_cert(
attribute on the certificate. By default, a random one will be
generated.

not_before: Set the validity start date (notBefore) of the certificate.
This argument type is `datetime.datetime`.

not_after: Set the expiry date (notAfter) of the certificate. This
argument type is `datetime.datetime`.

Expand Down Expand Up @@ -380,6 +388,7 @@ def issue_cert(
),
self._certificate.subject,
key.public_key(),
not_before=not_before,
not_after=not_after,
)
.add_extension(
Expand Down
17 changes: 17 additions & 0 deletions tests/test_trustme.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,23 @@ def test_issue_cert_custom_not_after() -> None:
assert getattr(cert.not_valid_after, t) == getattr(expires, t)


def test_issue_cert_custom_not_before() -> None:
not_before = datetime.datetime(2027, 7, 5, 17, 15, 30)
ca = CA()

leaf_cert = ca.issue_cert(
"example.org",
organization_name="python-trio",
organization_unit_name="trustme",
not_before=not_before,
)

cert = x509.load_pem_x509_certificate(leaf_cert.cert_chain_pems[0].bytes())

for t in ["year", "month", "day", "hour", "minute", "second"]:
assert getattr(cert.not_valid_before, t) == getattr(not_before, t)


def test_intermediate() -> None:
ca = CA()
ca_cert = x509.load_pem_x509_certificate(ca.cert_pem.bytes())
Expand Down