Use timezone aware functionality when using cryptography >= 42.0.0 (#727)

* Use timezone aware functionality when using cryptography >= 42.0.0. * Adjust OpenSSH certificate code to avoid functions deprecated in Python 3.12. * Strip timezone info from isoformat() output. * InvalidityDate.invalidity_date currently has no _utc variant.
2026-05-06 13:22:58 +00:00 · 2024-04-18 07:49:53 +02:00
parent 1b75f1aa9c
commit ae548de502
15 changed files with 215 additions and 64 deletions
--- a/plugins/module_utils/openssh/certificate.py
+++ b/plugins/module_utils/openssh/certificate.py
@@ -22,7 +22,9 @@ __metaclass__ = type

 import abc
 import binascii
+import datetime as _datetime
 import os
+import sys
 from base64 import b64encode
 from datetime import datetime
 from hashlib import sha256
@@ -61,8 +63,17 @@ _ECDSA_CURVE_IDENTIFIERS_LOOKUP = {
    b'nistp521': 'ecdsa-nistp521',
 }

-_ALWAYS = datetime(1970, 1, 1)
-_FOREVER = datetime.max
+_USE_TIMEZONE = sys.version_info >= (3, 6)
+
+
+def _ensure_utc_timezone_if_use_timezone(value):
+    if not _USE_TIMEZONE or value.tzinfo is not None:
+        return value
+    return value.astimezone(_datetime.timezone.utc)
+
+
+_ALWAYS = _ensure_utc_timezone_if_use_timezone(datetime(1970, 1, 1))
+_FOREVER = datetime(9999, 12, 31, 23, 59, 59, 999999, _datetime.timezone.utc) if _USE_TIMEZONE else datetime.max

 _CRITICAL_OPTIONS = (
    'force-command',
@@ -136,7 +147,7 @@ class OpensshCertificateTimeParameters(object):
            elif dt == _FOREVER:
                result = 'forever'
            else:
-                result = dt.isoformat() if date_format == 'human_readable' else dt.strftime("%Y%m%d%H%M%S")
+                result = dt.isoformat().replace('+00:00', '') if date_format == 'human_readable' else dt.strftime("%Y%m%d%H%M%S")
        elif date_format == 'timestamp':
            td = dt - _ALWAYS
            result = int((td.microseconds + (td.seconds + td.days * 24 * 3600) * 10 ** 6) / 10 ** 6)
@@ -167,7 +178,10 @@ class OpensshCertificateTimeParameters(object):
            result = _FOREVER
        else:
            try:
-                result = datetime.utcfromtimestamp(timestamp)
+                if _USE_TIMEZONE:
+                    result = datetime.fromtimestamp(timestamp, tz=_datetime.timezone.utc)
+                else:
+                    result = datetime.utcfromtimestamp(timestamp)
            except OverflowError as e:
                raise ValueError
        return result
@@ -180,11 +194,11 @@ class OpensshCertificateTimeParameters(object):
        elif time_string == 'forever':
            result = _FOREVER
        elif is_relative_time_string(time_string):
-            result = convert_relative_to_datetime(time_string)
+            result = convert_relative_to_datetime(time_string, with_timezone=_USE_TIMEZONE)
        else:
            for time_format in ("%Y-%m-%d", "%Y-%m-%d %H:%M:%S", "%Y-%m-%dT%H:%M:%S"):
                try:
-                    result = datetime.strptime(time_string, time_format)
+                    result = _ensure_utc_timezone_if_use_timezone(datetime.strptime(time_string, time_format))
                except ValueError:
                    pass
            if result is None: