ipalib: fix the IPACertificate validity dates

The class IPACertificate builds objects from x509 Certificate objects and creates the not_valid_before and not_valid_after values by converting to a timestamp + applying timezone delta to UTC + reading from the timestamp. This results in applying twice the delta. Use a simpler method that replaces the timezone info with UTC in the datetime object. Fixes: https://pagure.io/freeipa/issue/9462 Signed-off-by: Florence Blanc-Renaud <[email protected]> Reviewed-By: Rob Crittenden <[email protected]>
progier389 · Oct 16, 2023 · b6af3a4 · b6af3a4
1 parent 6245457
commit b6af3a4
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 4 deletions.
diff --git a/ipalib/x509.py b/ipalib/x509.py
@@ -266,13 +266,11 @@ def issuer_bytes(self):
 
     @property
     def not_valid_before(self):
-        return datetime.datetime.fromtimestamp(
-            self._cert.not_valid_before.timestamp(), tz=datetime.timezone.utc)
+        return self._cert.not_valid_before.replace(tzinfo=datetime.timezone.utc)
 
     @property
     def not_valid_after(self):
-        return datetime.datetime.fromtimestamp(
-            self._cert.not_valid_after.timestamp(), tz=datetime.timezone.utc)
+        return self._cert.not_valid_after.replace(tzinfo=datetime.timezone.utc)
 
     @property
     def tbs_certificate_bytes(self):

diff --git a/ipatests/test_ipalib/test_x509.py b/ipatests/test_ipalib/test_x509.py
@@ -26,6 +26,7 @@
 from configparser import RawConfigParser
 import datetime
 from io import StringIO
+import os
 import pickle
 
 import pytest
@@ -253,6 +254,30 @@ def test_3_cert_contents(self):
             b'+\x06\x01\x05\x05\x07\x03\x01'
         )
 
+    def test_cert_with_timezone(self):
+        """
+        Test the not_before and not_after values in a diffent timezone
+
+        Test for https://pagure.io/freeipa/issue/9462
+        """
+        # Store initial timezone, then set to New York
+        tz = os.environ.get('TZ', None)
+        os.environ['TZ'] = 'America/New_York'
+        # Load the cert, extract not before and not after
+        cert = x509.load_pem_x509_certificate(goodcert_headers)
+        not_before = datetime.datetime(2010, 6, 25, 13, 0, 42, 0,
+                                       datetime.timezone.utc)
+        not_after = datetime.datetime(2015, 6, 25, 13, 0, 42, 0,
+                                      datetime.timezone.utc)
+        # Reset timezone to previous value
+        if tz:
+            os.environ['TZ'] = tz
+        else:
+            del os.environ['TZ']
+        # ensure the timezone doesn't mess with not_before and not_after
+        assert cert.not_valid_before == not_before
+        assert cert.not_valid_after == not_after
+
     def test_load_pkcs7_pem(self):
         certlist = x509.pkcs7_to_certs(good_pkcs7, datatype=x509.PEM)
         assert len(certlist) == 1