mirror of
https://github.com/ansible-collections/community.crypto.git
synced 2026-05-06 13:22:58 +00:00
Use timezone aware functionality when using cryptography >= 42.0.0 (#727)
* Use timezone aware functionality when using cryptography >= 42.0.0. * Adjust OpenSSH certificate code to avoid functions deprecated in Python 3.12. * Strip timezone info from isoformat() output. * InvalidityDate.invalidity_date currently has no _utc variant.
This commit is contained in:
Felix Fontein
GitHub
@@ -32,6 +32,8 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im
|
||||
|
||||
from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
|
||||
cryptography_compare_public_keys,
|
||||
get_not_valid_after,
|
||||
get_not_valid_before,
|
||||
)
|
||||
|
||||
from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate_info import (
|
||||
@@ -251,12 +253,12 @@ class CertificateBackend(object):
|
||||
|
||||
# Check not before
|
||||
if not_before is not None and not self.ignore_timestamps:
|
||||
if self.existing_certificate.not_valid_before != not_before:
|
||||
if get_not_valid_before(self.existing_certificate) != not_before:
|
||||
return True
|
||||
|
||||
# Check not after
|
||||
if not_after is not None and not self.ignore_timestamps:
|
||||
if self.existing_certificate.not_valid_after != not_after:
|
||||
if get_not_valid_after(self.existing_certificate) != not_after:
|
||||
return True
|
||||
return False
|
||||
|
||||
|
||||
@@ -10,7 +10,6 @@ __metaclass__ = type
|
||||
|
||||
|
||||
import datetime
|
||||
import time
|
||||
import os
|
||||
|
||||
from ansible.module_utils.common.text.converters import to_native, to_bytes
|
||||
@@ -19,11 +18,14 @@ from ansible_collections.community.crypto.plugins.module_utils.ecs.api import EC
|
||||
|
||||
from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
|
||||
load_certificate,
|
||||
get_now_datetime,
|
||||
get_relative_time_option,
|
||||
)
|
||||
|
||||
from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
|
||||
CRYPTOGRAPHY_TIMEZONE,
|
||||
cryptography_serial_number_of_cert,
|
||||
get_not_valid_after,
|
||||
)
|
||||
|
||||
from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import (
|
||||
@@ -99,7 +101,7 @@ class EntrustCertificateBackend(CertificateBackend):
|
||||
# Handle expiration (30 days if not specified)
|
||||
expiry = self.notAfter
|
||||
if not expiry:
|
||||
gmt_now = datetime.datetime.fromtimestamp(time.mktime(time.gmtime()))
|
||||
gmt_now = get_now_datetime(with_timezone=CRYPTOGRAPHY_TIMEZONE)
|
||||
expiry = gmt_now + datetime.timedelta(days=365)
|
||||
|
||||
expiry_iso3339 = expiry.strftime("%Y-%m-%dT%H:%M:%S.00Z")
|
||||
@@ -154,7 +156,7 @@ class EntrustCertificateBackend(CertificateBackend):
|
||||
expiry = None
|
||||
if self.backend == 'cryptography':
|
||||
serial_number = "{0:X}".format(cryptography_serial_number_of_cert(self.existing_certificate))
|
||||
expiry = self.existing_certificate.not_valid_after
|
||||
expiry = get_not_valid_after(self.existing_certificate)
|
||||
|
||||
# get some information about the expiry of this certificate
|
||||
expiry_iso3339 = expiry.strftime("%Y-%m-%dT%H:%M:%S.00Z")
|
||||
|
||||
@@ -12,7 +12,6 @@ __metaclass__ = type
|
||||
|
||||
import abc
|
||||
import binascii
|
||||
import datetime
|
||||
import traceback
|
||||
|
||||
from ansible.module_utils import six
|
||||
@@ -24,13 +23,17 @@ from ansible_collections.community.crypto.plugins.module_utils.version import Lo
|
||||
from ansible_collections.community.crypto.plugins.module_utils.crypto.support import (
|
||||
load_certificate,
|
||||
get_fingerprint_of_bytes,
|
||||
get_now_datetime,
|
||||
)
|
||||
|
||||
from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import (
|
||||
CRYPTOGRAPHY_TIMEZONE,
|
||||
cryptography_decode_name,
|
||||
cryptography_get_extensions_from_cert,
|
||||
cryptography_oid_to_name,
|
||||
cryptography_serial_number_of_cert,
|
||||
get_not_valid_after,
|
||||
get_not_valid_before,
|
||||
)
|
||||
|
||||
from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.publickey_info import (
|
||||
@@ -169,7 +172,7 @@ class CertificateInfoRetrieval(object):
|
||||
not_after = self.get_not_after()
|
||||
result['not_before'] = not_before.strftime(TIMESTAMP_FORMAT)
|
||||
result['not_after'] = not_after.strftime(TIMESTAMP_FORMAT)
|
||||
result['expired'] = not_after < datetime.datetime.utcnow()
|
||||
result['expired'] = not_after < get_now_datetime(with_timezone=CRYPTOGRAPHY_TIMEZONE)
|
||||
|
||||
result['public_key'] = to_native(self._get_public_key_pem())
|
||||
|
||||
@@ -322,10 +325,10 @@ class CertificateInfoRetrievalCryptography(CertificateInfoRetrieval):
|
||||
return None, False
|
||||
|
||||
def get_not_before(self):
|
||||
return self.cert.not_valid_before
|
||||
return get_not_valid_before(self.cert)
|
||||
|
||||
def get_not_after(self):
|
||||
return self.cert.not_valid_after
|
||||
return get_not_valid_after(self.cert)
|
||||
|
||||
def _get_public_key_pem(self):
|
||||
return self.cert.public_key().public_bytes(
|
||||
|
||||
@@ -31,6 +31,10 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp
|
||||
cryptography_key_needs_digest_for_signing,
|
||||
cryptography_serial_number_of_cert,
|
||||
cryptography_verify_certificate_signature,
|
||||
get_not_valid_after,
|
||||
get_not_valid_before,
|
||||
set_not_valid_after,
|
||||
set_not_valid_before,
|
||||
)
|
||||
|
||||
from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import (
|
||||
@@ -120,8 +124,8 @@ class OwnCACertificateBackendCryptography(CertificateBackend):
|
||||
cert_builder = cert_builder.subject_name(self.csr.subject)
|
||||
cert_builder = cert_builder.issuer_name(self.ca_cert.subject)
|
||||
cert_builder = cert_builder.serial_number(self.serial_number)
|
||||
cert_builder = cert_builder.not_valid_before(self.notBefore)
|
||||
cert_builder = cert_builder.not_valid_after(self.notAfter)
|
||||
cert_builder = set_not_valid_before(cert_builder, self.notBefore)
|
||||
cert_builder = set_not_valid_after(cert_builder, self.notAfter)
|
||||
cert_builder = cert_builder.public_key(self.csr.public_key())
|
||||
has_ski = False
|
||||
for extension in self.csr.extensions:
|
||||
@@ -220,8 +224,8 @@ class OwnCACertificateBackendCryptography(CertificateBackend):
|
||||
if self.cert is None:
|
||||
self.cert = self.existing_certificate
|
||||
result.update({
|
||||
'notBefore': self.cert.not_valid_before.strftime("%Y%m%d%H%M%SZ"),
|
||||
'notAfter': self.cert.not_valid_after.strftime("%Y%m%d%H%M%SZ"),
|
||||
'notBefore': get_not_valid_before(self.cert).strftime("%Y%m%d%H%M%SZ"),
|
||||
'notAfter': get_not_valid_after(self.cert).strftime("%Y%m%d%H%M%SZ"),
|
||||
'serial_number': cryptography_serial_number_of_cert(self.cert),
|
||||
})
|
||||
|
||||
|
||||
@@ -22,6 +22,10 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp
|
||||
cryptography_key_needs_digest_for_signing,
|
||||
cryptography_serial_number_of_cert,
|
||||
cryptography_verify_certificate_signature,
|
||||
get_not_valid_after,
|
||||
get_not_valid_before,
|
||||
set_not_valid_after,
|
||||
set_not_valid_before,
|
||||
)
|
||||
|
||||
from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import (
|
||||
@@ -95,8 +99,8 @@ class SelfSignedCertificateBackendCryptography(CertificateBackend):
|
||||
cert_builder = cert_builder.subject_name(self.csr.subject)
|
||||
cert_builder = cert_builder.issuer_name(self.csr.subject)
|
||||
cert_builder = cert_builder.serial_number(self.serial_number)
|
||||
cert_builder = cert_builder.not_valid_before(self.notBefore)
|
||||
cert_builder = cert_builder.not_valid_after(self.notAfter)
|
||||
cert_builder = set_not_valid_before(cert_builder, self.notBefore)
|
||||
cert_builder = set_not_valid_after(cert_builder, self.notAfter)
|
||||
cert_builder = cert_builder.public_key(self.privatekey.public_key())
|
||||
has_ski = False
|
||||
for extension in self.csr.extensions:
|
||||
@@ -154,8 +158,8 @@ class SelfSignedCertificateBackendCryptography(CertificateBackend):
|
||||
if self.cert is None:
|
||||
self.cert = self.existing_certificate
|
||||
result.update({
|
||||
'notBefore': self.cert.not_valid_before.strftime("%Y%m%d%H%M%SZ"),
|
||||
'notAfter': self.cert.not_valid_after.strftime("%Y%m%d%H%M%SZ"),
|
||||
'notBefore': get_not_valid_before(self.cert).strftime("%Y%m%d%H%M%SZ"),
|
||||
'notAfter': get_not_valid_after(self.cert).strftime("%Y%m%d%H%M%SZ"),
|
||||
'serial_number': cryptography_serial_number_of_cert(self.cert),
|
||||
})
|
||||
|
||||
|
||||
Reference in New Issue
Block a user