From ae548de502f87431044ea1d421613f48c4c69d0c Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Thu, 18 Apr 2024 07:49:53 +0200 Subject: [PATCH] Use timezone aware functionality when using cryptography >= 42.0.0 (#727) * Use timezone aware functionality when using cryptography >= 42.0.0. * Adjust OpenSSH certificate code to avoid functions deprecated in Python 3.12. * Strip timezone info from isoformat() output. * InvalidityDate.invalidity_date currently has no _utc variant. --- changelogs/fragments/727-cryptography-utc.yml | 4 ++ .../module_utils/acme/backend_cryptography.py | 11 +++-- .../module_utils/crypto/cryptography_crl.py | 45 ++++++++++++++++++- .../crypto/cryptography_support.py | 27 +++++++++++ .../crypto/module_backends/certificate.py | 6 ++- .../module_backends/certificate_entrust.py | 8 ++-- .../module_backends/certificate_info.py | 11 +++-- .../module_backends/certificate_ownca.py | 12 +++-- .../module_backends/certificate_selfsigned.py | 12 +++-- plugins/module_utils/crypto/support.py | 29 +++++++++--- plugins/module_utils/openssh/certificate.py | 26 ++++++++--- plugins/modules/acme_challenge_cert_helper.py | 37 +++++++++------ plugins/modules/get_certificate.py | 14 ++++-- plugins/modules/x509_certificate_info.py | 6 ++- plugins/modules/x509_crl.py | 31 ++++++++----- 15 files changed, 215 insertions(+), 64 deletions(-) create mode 100644 changelogs/fragments/727-cryptography-utc.yml diff --git a/changelogs/fragments/727-cryptography-utc.yml b/changelogs/fragments/727-cryptography-utc.yml new file mode 100644 index 00000000..787d8447 --- /dev/null +++ b/changelogs/fragments/727-cryptography-utc.yml @@ -0,0 +1,4 @@ +minor_changes: + - "When using cryptography >= 42.0.0, use offset-aware ``datetime.datetime`` objects (with timezone UTC) instead of offset-naive UTC timestamps + (https://github.com/ansible-collections/community.crypto/issues/726, https://github.com/ansible-collections/community.crypto/pull/727)." + - "openssh_cert - avoid UTC functions deprecated in Python 3.12 when using Python 3 (https://github.com/ansible-collections/community.crypto/pull/727)." diff --git a/plugins/module_utils/acme/backend_cryptography.py b/plugins/module_utils/acme/backend_cryptography.py index 5513b78a..0722c1f9 100644 --- a/plugins/module_utils/acme/backend_cryptography.py +++ b/plugins/module_utils/acme/backend_cryptography.py @@ -11,7 +11,6 @@ __metaclass__ = type import base64 import binascii -import datetime import os import traceback @@ -42,11 +41,15 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.math impor ) from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( + get_now_datetime, + ensure_utc_timezone, parse_name_field, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, cryptography_name_to_oid, + get_not_valid_after, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import ( @@ -373,8 +376,10 @@ class CryptographyBackend(CryptoBackend): raise BackendException('Cannot parse certificate {0}: {1}'.format(cert_filename, e)) if now is None: - now = datetime.datetime.now() - return (cert.not_valid_after - now).days + now = get_now_datetime(with_timezone=CRYPTOGRAPHY_TIMEZONE) + elif CRYPTOGRAPHY_TIMEZONE: + now = ensure_utc_timezone(now) + return (get_not_valid_after(cert) - now).days def create_chain_matcher(self, criterium): ''' diff --git a/plugins/module_utils/crypto/cryptography_crl.py b/plugins/module_utils/crypto/cryptography_crl.py index 62499e08..8ef0d65d 100644 --- a/plugins/module_utils/crypto/cryptography_crl.py +++ b/plugins/module_utils/crypto/cryptography_crl.py @@ -19,6 +19,7 @@ from .basic import ( ) from .cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, cryptography_decode_name, ) @@ -27,6 +28,11 @@ from ._obj2txt import ( ) +# TODO: once cryptography has a _utc variant of InvalidityDate.invalidity_date, set this +# to True and adjust get_invalidity_date() accordingly. +# (https://github.com/pyca/cryptography/issues/10818) +CRYPTOGRAPHY_TIMEZONE_INVALIDITY_DATE = False + TIMESTAMP_FORMAT = "%Y%m%d%H%M%SZ" @@ -55,7 +61,7 @@ else: def cryptography_decode_revoked_certificate(cert): result = { 'serial_number': cert.serial_number, - 'revocation_date': cert.revocation_date, + 'revocation_date': get_revocation_date(cert), 'issuer': None, 'issuer_critical': False, 'reason': None, @@ -77,7 +83,7 @@ def cryptography_decode_revoked_certificate(cert): pass try: ext = cert.extensions.get_extension_for_class(x509.InvalidityDate) - result['invalidity_date'] = ext.value.invalidity_date + result['invalidity_date'] = get_invalidity_date(ext.value) result['invalidity_date_critical'] = ext.critical except x509.ExtensionNotFound: pass @@ -112,3 +118,38 @@ def cryptography_get_signature_algorithm_oid_from_crl(crl): crl._x509_crl.sig_alg.algorithm ) return x509.oid.ObjectIdentifier(dotted) + + +def get_next_update(obj): + if CRYPTOGRAPHY_TIMEZONE: + return obj.next_update_utc + return obj.next_update + + +def get_last_update(obj): + if CRYPTOGRAPHY_TIMEZONE: + return obj.last_update_utc + return obj.last_update + + +def get_revocation_date(obj): + if CRYPTOGRAPHY_TIMEZONE: + return obj.revocation_date_utc + return obj.revocation_date + + +def get_invalidity_date(obj): + # TODO: special handling if CRYPTOGRAPHY_TIMEZONE_INVALIDITY_DATE is True + return obj.invalidity_date + + +def set_next_update(builder, value): + return builder.next_update(value) + + +def set_last_update(builder, value): + return builder.last_update(value) + + +def set_revocation_date(builder, value): + return builder.revocation_date(value) diff --git a/plugins/module_utils/crypto/cryptography_support.py b/plugins/module_utils/crypto/cryptography_support.py index b767d341..3d07b35b 100644 --- a/plugins/module_utils/crypto/cryptography_support.py +++ b/plugins/module_utils/crypto/cryptography_support.py @@ -29,7 +29,9 @@ try: from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import padding import ipaddress + _HAS_CRYPTOGRAPHY = True except ImportError: + _HAS_CRYPTOGRAPHY = False # Error handled in the calling module. pass @@ -106,6 +108,11 @@ from ._objects import ( from ._obj2txt import obj2txt +CRYPTOGRAPHY_TIMEZONE = False +if _HAS_CRYPTOGRAPHY: + CRYPTOGRAPHY_TIMEZONE = LooseVersion(cryptography.__version__) >= LooseVersion('42.0.0') + + DOTTED_OID = re.compile(r'^\d+(?:\.\d+)+$') @@ -807,3 +814,23 @@ def cryptography_verify_certificate_signature(certificate, signer_public_key): certificate.signature_hash_algorithm, signer_public_key ) + + +def get_not_valid_after(obj): + if CRYPTOGRAPHY_TIMEZONE: + return obj.not_valid_after_utc + return obj.not_valid_after + + +def get_not_valid_before(obj): + if CRYPTOGRAPHY_TIMEZONE: + return obj.not_valid_before_utc + return obj.not_valid_before + + +def set_not_valid_after(builder, value): + return builder.not_valid_after(value) + + +def set_not_valid_before(builder, value): + return builder.not_valid_before(value) diff --git a/plugins/module_utils/crypto/module_backends/certificate.py b/plugins/module_utils/crypto/module_backends/certificate.py index 7a56d7e9..7bc93d93 100644 --- a/plugins/module_utils/crypto/module_backends/certificate.py +++ b/plugins/module_utils/crypto/module_backends/certificate.py @@ -32,6 +32,8 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( cryptography_compare_public_keys, + get_not_valid_after, + get_not_valid_before, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate_info import ( @@ -251,12 +253,12 @@ class CertificateBackend(object): # Check not before if not_before is not None and not self.ignore_timestamps: - if self.existing_certificate.not_valid_before != not_before: + if get_not_valid_before(self.existing_certificate) != not_before: return True # Check not after if not_after is not None and not self.ignore_timestamps: - if self.existing_certificate.not_valid_after != not_after: + if get_not_valid_after(self.existing_certificate) != not_after: return True return False diff --git a/plugins/module_utils/crypto/module_backends/certificate_entrust.py b/plugins/module_utils/crypto/module_backends/certificate_entrust.py index baf53f5d..7dc4641e 100644 --- a/plugins/module_utils/crypto/module_backends/certificate_entrust.py +++ b/plugins/module_utils/crypto/module_backends/certificate_entrust.py @@ -10,7 +10,6 @@ __metaclass__ = type import datetime -import time import os from ansible.module_utils.common.text.converters import to_native, to_bytes @@ -19,11 +18,14 @@ from ansible_collections.community.crypto.plugins.module_utils.ecs.api import EC from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( load_certificate, + get_now_datetime, get_relative_time_option, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, cryptography_serial_number_of_cert, + get_not_valid_after, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import ( @@ -99,7 +101,7 @@ class EntrustCertificateBackend(CertificateBackend): # Handle expiration (30 days if not specified) expiry = self.notAfter if not expiry: - gmt_now = datetime.datetime.fromtimestamp(time.mktime(time.gmtime())) + gmt_now = get_now_datetime(with_timezone=CRYPTOGRAPHY_TIMEZONE) expiry = gmt_now + datetime.timedelta(days=365) expiry_iso3339 = expiry.strftime("%Y-%m-%dT%H:%M:%S.00Z") @@ -154,7 +156,7 @@ class EntrustCertificateBackend(CertificateBackend): expiry = None if self.backend == 'cryptography': serial_number = "{0:X}".format(cryptography_serial_number_of_cert(self.existing_certificate)) - expiry = self.existing_certificate.not_valid_after + expiry = get_not_valid_after(self.existing_certificate) # get some information about the expiry of this certificate expiry_iso3339 = expiry.strftime("%Y-%m-%dT%H:%M:%S.00Z") diff --git a/plugins/module_utils/crypto/module_backends/certificate_info.py b/plugins/module_utils/crypto/module_backends/certificate_info.py index b10733ce..5db6c358 100644 --- a/plugins/module_utils/crypto/module_backends/certificate_info.py +++ b/plugins/module_utils/crypto/module_backends/certificate_info.py @@ -12,7 +12,6 @@ __metaclass__ = type import abc import binascii -import datetime import traceback from ansible.module_utils import six @@ -24,13 +23,17 @@ from ansible_collections.community.crypto.plugins.module_utils.version import Lo from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( load_certificate, get_fingerprint_of_bytes, + get_now_datetime, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, cryptography_decode_name, cryptography_get_extensions_from_cert, cryptography_oid_to_name, cryptography_serial_number_of_cert, + get_not_valid_after, + get_not_valid_before, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.publickey_info import ( @@ -169,7 +172,7 @@ class CertificateInfoRetrieval(object): not_after = self.get_not_after() result['not_before'] = not_before.strftime(TIMESTAMP_FORMAT) result['not_after'] = not_after.strftime(TIMESTAMP_FORMAT) - result['expired'] = not_after < datetime.datetime.utcnow() + result['expired'] = not_after < get_now_datetime(with_timezone=CRYPTOGRAPHY_TIMEZONE) result['public_key'] = to_native(self._get_public_key_pem()) @@ -322,10 +325,10 @@ class CertificateInfoRetrievalCryptography(CertificateInfoRetrieval): return None, False def get_not_before(self): - return self.cert.not_valid_before + return get_not_valid_before(self.cert) def get_not_after(self): - return self.cert.not_valid_after + return get_not_valid_after(self.cert) def _get_public_key_pem(self): return self.cert.public_key().public_bytes( diff --git a/plugins/module_utils/crypto/module_backends/certificate_ownca.py b/plugins/module_utils/crypto/module_backends/certificate_ownca.py index ac1cf845..4d312e6b 100644 --- a/plugins/module_utils/crypto/module_backends/certificate_ownca.py +++ b/plugins/module_utils/crypto/module_backends/certificate_ownca.py @@ -31,6 +31,10 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp cryptography_key_needs_digest_for_signing, cryptography_serial_number_of_cert, cryptography_verify_certificate_signature, + get_not_valid_after, + get_not_valid_before, + set_not_valid_after, + set_not_valid_before, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import ( @@ -120,8 +124,8 @@ class OwnCACertificateBackendCryptography(CertificateBackend): cert_builder = cert_builder.subject_name(self.csr.subject) cert_builder = cert_builder.issuer_name(self.ca_cert.subject) cert_builder = cert_builder.serial_number(self.serial_number) - cert_builder = cert_builder.not_valid_before(self.notBefore) - cert_builder = cert_builder.not_valid_after(self.notAfter) + cert_builder = set_not_valid_before(cert_builder, self.notBefore) + cert_builder = set_not_valid_after(cert_builder, self.notAfter) cert_builder = cert_builder.public_key(self.csr.public_key()) has_ski = False for extension in self.csr.extensions: @@ -220,8 +224,8 @@ class OwnCACertificateBackendCryptography(CertificateBackend): if self.cert is None: self.cert = self.existing_certificate result.update({ - 'notBefore': self.cert.not_valid_before.strftime("%Y%m%d%H%M%SZ"), - 'notAfter': self.cert.not_valid_after.strftime("%Y%m%d%H%M%SZ"), + 'notBefore': get_not_valid_before(self.cert).strftime("%Y%m%d%H%M%SZ"), + 'notAfter': get_not_valid_after(self.cert).strftime("%Y%m%d%H%M%SZ"), 'serial_number': cryptography_serial_number_of_cert(self.cert), }) diff --git a/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py b/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py index 8695d43e..edd8d8d7 100644 --- a/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py +++ b/plugins/module_utils/crypto/module_backends/certificate_selfsigned.py @@ -22,6 +22,10 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp cryptography_key_needs_digest_for_signing, cryptography_serial_number_of_cert, cryptography_verify_certificate_signature, + get_not_valid_after, + get_not_valid_before, + set_not_valid_after, + set_not_valid_before, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate import ( @@ -95,8 +99,8 @@ class SelfSignedCertificateBackendCryptography(CertificateBackend): cert_builder = cert_builder.subject_name(self.csr.subject) cert_builder = cert_builder.issuer_name(self.csr.subject) cert_builder = cert_builder.serial_number(self.serial_number) - cert_builder = cert_builder.not_valid_before(self.notBefore) - cert_builder = cert_builder.not_valid_after(self.notAfter) + cert_builder = set_not_valid_before(cert_builder, self.notBefore) + cert_builder = set_not_valid_after(cert_builder, self.notAfter) cert_builder = cert_builder.public_key(self.privatekey.public_key()) has_ski = False for extension in self.csr.extensions: @@ -154,8 +158,8 @@ class SelfSignedCertificateBackendCryptography(CertificateBackend): if self.cert is None: self.cert = self.existing_certificate result.update({ - 'notBefore': self.cert.not_valid_before.strftime("%Y%m%d%H%M%SZ"), - 'notAfter': self.cert.not_valid_after.strftime("%Y%m%d%H%M%SZ"), + 'notBefore': get_not_valid_before(self.cert).strftime("%Y%m%d%H%M%SZ"), + 'notAfter': get_not_valid_after(self.cert).strftime("%Y%m%d%H%M%SZ"), 'serial_number': cryptography_serial_number_of_cert(self.cert), }) diff --git a/plugins/module_utils/crypto/support.py b/plugins/module_utils/crypto/support.py index 473246b1..8b59a3b7 100644 --- a/plugins/module_utils/crypto/support.py +++ b/plugins/module_utils/crypto/support.py @@ -279,7 +279,19 @@ def parse_ordered_name_field(input_list, name_field_name): return result -def convert_relative_to_datetime(relative_time_string): +def get_now_datetime(with_timezone): + if with_timezone: + return datetime.datetime.now(tz=datetime.timezone.utc) + return datetime.datetime.utcnow() + + +def ensure_utc_timezone(timestamp): + if timestamp.tzinfo is not None: + return timestamp + return timestamp.astimezone(datetime.timezone.utc) + + +def convert_relative_to_datetime(relative_time_string, with_timezone=False): """Get a datetime.datetime or None from a string in the time format described in sshd_config(5)""" parsed_result = re.match( @@ -304,13 +316,14 @@ def convert_relative_to_datetime(relative_time_string): offset += datetime.timedelta( seconds=int(parsed_result.group("seconds"))) + now = get_now_datetime(with_timezone=with_timezone) if parsed_result.group("prefix") == "+": - return datetime.datetime.utcnow() + offset + return now + offset else: - return datetime.datetime.utcnow() - offset + return now - offset -def get_relative_time_option(input_string, input_name, backend='cryptography'): +def get_relative_time_option(input_string, input_name, backend='cryptography', with_timezone=False): """Return an absolute timespec if a relative timespec or an ASN1 formatted string is provided. @@ -323,7 +336,7 @@ def get_relative_time_option(input_string, input_name, backend='cryptography'): input_string, input_name) # Relative time if result.startswith("+") or result.startswith("-"): - result_datetime = convert_relative_to_datetime(result) + result_datetime = convert_relative_to_datetime(result, with_timezone=with_timezone) if backend == 'pyopenssl': return result_datetime.strftime("%Y%m%d%H%M%SZ") elif backend == 'cryptography': @@ -332,9 +345,13 @@ def get_relative_time_option(input_string, input_name, backend='cryptography'): if backend == 'cryptography': for date_fmt in ['%Y%m%d%H%M%SZ', '%Y%m%d%H%MZ', '%Y%m%d%H%M%S%z', '%Y%m%d%H%M%z']: try: - return datetime.datetime.strptime(result, date_fmt) + res = datetime.datetime.strptime(result, date_fmt) except ValueError: pass + else: + if with_timezone: + res = res.astimezone(datetime.timezone.utc) + return res raise OpenSSLObjectError( 'The time spec "%s" for %s is invalid' % diff --git a/plugins/module_utils/openssh/certificate.py b/plugins/module_utils/openssh/certificate.py index 54d1b1ec..f5976665 100644 --- a/plugins/module_utils/openssh/certificate.py +++ b/plugins/module_utils/openssh/certificate.py @@ -22,7 +22,9 @@ __metaclass__ = type import abc import binascii +import datetime as _datetime import os +import sys from base64 import b64encode from datetime import datetime from hashlib import sha256 @@ -61,8 +63,17 @@ _ECDSA_CURVE_IDENTIFIERS_LOOKUP = { b'nistp521': 'ecdsa-nistp521', } -_ALWAYS = datetime(1970, 1, 1) -_FOREVER = datetime.max +_USE_TIMEZONE = sys.version_info >= (3, 6) + + +def _ensure_utc_timezone_if_use_timezone(value): + if not _USE_TIMEZONE or value.tzinfo is not None: + return value + return value.astimezone(_datetime.timezone.utc) + + +_ALWAYS = _ensure_utc_timezone_if_use_timezone(datetime(1970, 1, 1)) +_FOREVER = datetime(9999, 12, 31, 23, 59, 59, 999999, _datetime.timezone.utc) if _USE_TIMEZONE else datetime.max _CRITICAL_OPTIONS = ( 'force-command', @@ -136,7 +147,7 @@ class OpensshCertificateTimeParameters(object): elif dt == _FOREVER: result = 'forever' else: - result = dt.isoformat() if date_format == 'human_readable' else dt.strftime("%Y%m%d%H%M%S") + result = dt.isoformat().replace('+00:00', '') if date_format == 'human_readable' else dt.strftime("%Y%m%d%H%M%S") elif date_format == 'timestamp': td = dt - _ALWAYS result = int((td.microseconds + (td.seconds + td.days * 24 * 3600) * 10 ** 6) / 10 ** 6) @@ -167,7 +178,10 @@ class OpensshCertificateTimeParameters(object): result = _FOREVER else: try: - result = datetime.utcfromtimestamp(timestamp) + if _USE_TIMEZONE: + result = datetime.fromtimestamp(timestamp, tz=_datetime.timezone.utc) + else: + result = datetime.utcfromtimestamp(timestamp) except OverflowError as e: raise ValueError return result @@ -180,11 +194,11 @@ class OpensshCertificateTimeParameters(object): elif time_string == 'forever': result = _FOREVER elif is_relative_time_string(time_string): - result = convert_relative_to_datetime(time_string) + result = convert_relative_to_datetime(time_string, with_timezone=_USE_TIMEZONE) else: for time_format in ("%Y-%m-%d", "%Y-%m-%d %H:%M:%S", "%Y-%m-%dT%H:%M:%S"): try: - result = datetime.strptime(time_string, time_format) + result = _ensure_utc_timezone_if_use_timezone(datetime.strptime(time_string, time_format)) except ValueError: pass if result is None: diff --git a/plugins/modules/acme_challenge_cert_helper.py b/plugins/modules/acme_challenge_cert_helper.py index 9740cd16..48b65f99 100644 --- a/plugins/modules/acme_challenge_cert_helper.py +++ b/plugins/modules/acme_challenge_cert_helper.py @@ -165,6 +165,16 @@ from ansible_collections.community.crypto.plugins.module_utils.acme.io import ( read_file, ) +from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( + get_now_datetime, +) + +from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, + set_not_valid_after, + set_not_valid_before, +) + CRYPTOGRAPHY_IMP_ERR = None try: import cryptography @@ -244,8 +254,9 @@ def main(): domain = to_text(challenge_data['resource']) identifier_type, identifier = to_text(challenge_data.get('resource_original', 'dns:' + challenge_data['resource'])).split(':', 1) subject = issuer = cryptography.x509.Name([]) - not_valid_before = datetime.datetime.utcnow() - not_valid_after = datetime.datetime.utcnow() + datetime.timedelta(days=10) + now = get_now_datetime(with_timezone=CRYPTOGRAPHY_TIMEZONE) + not_valid_before = now + not_valid_after = now + datetime.timedelta(days=10) if identifier_type == 'dns': san = cryptography.x509.DNSName(identifier) elif identifier_type == 'ip': @@ -254,7 +265,7 @@ def main(): raise ModuleFailException('Unsupported identifier type "{0}"'.format(identifier_type)) # Generate regular self-signed certificate - regular_certificate = cryptography.x509.CertificateBuilder().subject_name( + cert_builder = cryptography.x509.CertificateBuilder().subject_name( subject ).issuer_name( issuer @@ -262,14 +273,13 @@ def main(): private_key.public_key() ).serial_number( cryptography.x509.random_serial_number() - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after ).add_extension( cryptography.x509.SubjectAlternativeName([san]), critical=False, - ).sign( + ) + cert_builder = set_not_valid_before(cert_builder, not_valid_before) + cert_builder = set_not_valid_after(cert_builder, not_valid_after) + regular_certificate = cert_builder.sign( private_key, cryptography.hazmat.primitives.hashes.SHA256(), _cryptography_backend @@ -278,7 +288,7 @@ def main(): # Process challenge if challenge == 'tls-alpn-01': value = base64.b64decode(challenge_data['resource_value']) - challenge_certificate = cryptography.x509.CertificateBuilder().subject_name( + cert_builder = cryptography.x509.CertificateBuilder().subject_name( subject ).issuer_name( issuer @@ -286,10 +296,6 @@ def main(): private_key.public_key() ).serial_number( cryptography.x509.random_serial_number() - ).not_valid_before( - not_valid_before - ).not_valid_after( - not_valid_after ).add_extension( cryptography.x509.SubjectAlternativeName([san]), critical=False, @@ -299,7 +305,10 @@ def main(): encode_octet_string(value), ), critical=True, - ).sign( + ) + cert_builder = set_not_valid_before(cert_builder, not_valid_before) + cert_builder = set_not_valid_after(cert_builder, not_valid_after) + challenge_certificate = cert_builder.sign( private_key, cryptography.hazmat.primitives.hashes.SHA256(), _cryptography_backend diff --git a/plugins/modules/get_certificate.py b/plugins/modules/get_certificate.py index 0f8abc90..6ae9439d 100644 --- a/plugins/modules/get_certificate.py +++ b/plugins/modules/get_certificate.py @@ -209,7 +209,6 @@ EXAMPLES = ''' import atexit import base64 -import datetime import traceback from os.path import isfile @@ -221,9 +220,16 @@ from ansible.module_utils.common.text.converters import to_bytes from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion +from ansible_collections.community.crypto.plugins.module_utils.crypto.support import ( + get_now_datetime, +) + from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, cryptography_oid_to_name, cryptography_get_extensions_from_cert, + get_not_valid_after, + get_not_valid_before, ) MINIMAL_CRYPTOGRAPHY_VERSION = '1.6' @@ -392,7 +398,7 @@ def main(): for attribute in x509.subject: result['subject'][cryptography_oid_to_name(attribute.oid, short=True)] = attribute.value - result['expired'] = x509.not_valid_after < datetime.datetime.utcnow() + result['expired'] = get_not_valid_after(x509) < get_now_datetime(with_timezone=CRYPTOGRAPHY_TIMEZONE) result['extensions'] = [] for dotted_number, entry in cryptography_get_extensions_from_cert(x509).items(): @@ -410,8 +416,8 @@ def main(): for attribute in x509.issuer: result['issuer'][cryptography_oid_to_name(attribute.oid, short=True)] = attribute.value - result['not_after'] = x509.not_valid_after.strftime('%Y%m%d%H%M%SZ') - result['not_before'] = x509.not_valid_before.strftime('%Y%m%d%H%M%SZ') + result['not_after'] = get_not_valid_after(x509).strftime('%Y%m%d%H%M%SZ') + result['not_before'] = get_not_valid_before(x509).strftime('%Y%m%d%H%M%SZ') result['serial_number'] = x509.serial_number result['signature_algorithm'] = cryptography_oid_to_name(x509.signature_algorithm_oid) diff --git a/plugins/modules/x509_certificate_info.py b/plugins/modules/x509_certificate_info.py index d89f610c..8379937f 100644 --- a/plugins/modules/x509_certificate_info.py +++ b/plugins/modules/x509_certificate_info.py @@ -410,6 +410,10 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im get_relative_time_option, ) +from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, +) + from ansible_collections.community.crypto.plugins.module_utils.crypto.module_backends.certificate_info import ( select_backend, ) @@ -451,7 +455,7 @@ def main(): module.fail_json( msg='The value for valid_at.{0} must be of type string (got {1})'.format(k, type(v)) ) - valid_at[k] = get_relative_time_option(v, 'valid_at.{0}'.format(k)) + valid_at[k] = get_relative_time_option(v, 'valid_at.{0}'.format(k), with_timezone=CRYPTOGRAPHY_TIMEZONE) try: result = module_backend.get_info(der_support_enabled=module.params['content'] is None) diff --git a/plugins/modules/x509_crl.py b/plugins/modules/x509_crl.py index 1ac97005..527975b8 100644 --- a/plugins/modules/x509_crl.py +++ b/plugins/modules/x509_crl.py @@ -475,6 +475,7 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.support im ) from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_support import ( + CRYPTOGRAPHY_TIMEZONE, cryptography_decode_name, cryptography_get_name, cryptography_key_needs_digest_for_signing, @@ -484,11 +485,17 @@ from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptograp ) from ansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_crl import ( + CRYPTOGRAPHY_TIMEZONE_INVALIDITY_DATE, REVOCATION_REASON_MAP, TIMESTAMP_FORMAT, cryptography_decode_revoked_certificate, cryptography_dump_revoked, cryptography_get_signature_algorithm_oid_from_crl, + get_next_update, + get_last_update, + set_next_update, + set_last_update, + set_revocation_date, ) from ansible_collections.community.crypto.plugins.module_utils.crypto.pem import ( @@ -560,8 +567,8 @@ class CRL(OpenSSLObject): except (TypeError, ValueError) as exc: module.fail_json(msg=to_native(exc)) - self.last_update = get_relative_time_option(module.params['last_update'], 'last_update') - self.next_update = get_relative_time_option(module.params['next_update'], 'next_update') + self.last_update = get_relative_time_option(module.params['last_update'], 'last_update', with_timezone=CRYPTOGRAPHY_TIMEZONE) + self.next_update = get_relative_time_option(module.params['next_update'], 'next_update', with_timezone=CRYPTOGRAPHY_TIMEZONE) self.digest = select_message_digest(module.params['digest']) if self.digest is None: @@ -607,7 +614,8 @@ class CRL(OpenSSLObject): result['issuer_critical'] = rc['issuer_critical'] result['revocation_date'] = get_relative_time_option( rc['revocation_date'], - path_prefix + 'revocation_date' + path_prefix + 'revocation_date', + with_timezone=CRYPTOGRAPHY_TIMEZONE, ) if rc['reason']: result['reason'] = REVOCATION_REASON_MAP[rc['reason']] @@ -615,7 +623,8 @@ class CRL(OpenSSLObject): if rc['invalidity_date']: result['invalidity_date'] = get_relative_time_option( rc['invalidity_date'], - path_prefix + 'invalidity_date' + path_prefix + 'invalidity_date', + with_timezone=CRYPTOGRAPHY_TIMEZONE_INVALIDITY_DATE, ) result['invalidity_date_critical'] = rc['invalidity_date_critical'] self.revoked_certificates.append(result) @@ -731,9 +740,9 @@ class CRL(OpenSSLObject): if self.crl is None: return False - if self.last_update != self.crl.last_update and not self.ignore_timestamps: + if self.last_update != get_last_update(self.crl) and not self.ignore_timestamps: return False - if self.next_update != self.crl.next_update and not self.ignore_timestamps: + if self.next_update != get_next_update(self.crl) and not self.ignore_timestamps: return False if cryptography_key_needs_digest_for_signing(self.privatekey): if self.crl.signature_hash_algorithm is None or self.digest.name != self.crl.signature_hash_algorithm.name: @@ -780,8 +789,8 @@ class CRL(OpenSSLObject): except ValueError as e: raise CRLError(e) - crl = crl.last_update(self.last_update) - crl = crl.next_update(self.next_update) + crl = set_last_update(crl, self.last_update) + crl = set_next_update(crl, self.next_update) if self.update and self.crl: new_entries = set([self._compress_entry(entry) for entry in self.revoked_certificates]) @@ -792,7 +801,7 @@ class CRL(OpenSSLObject): for entry in self.revoked_certificates: revoked_cert = RevokedCertificateBuilder() revoked_cert = revoked_cert.serial_number(entry['serial_number']) - revoked_cert = revoked_cert.revocation_date(entry['revocation_date']) + revoked_cert = set_revocation_date(revoked_cert, entry['revocation_date']) if entry['issuer'] is not None: revoked_cert = revoked_cert.add_extension( x509.CertificateIssuer(entry['issuer']), @@ -876,8 +885,8 @@ class CRL(OpenSSLObject): for entry in self.revoked_certificates: result['revoked_certificates'].append(cryptography_dump_revoked(entry, idn_rewrite=self.name_encoding)) elif self.crl: - result['last_update'] = self.crl.last_update.strftime(TIMESTAMP_FORMAT) - result['next_update'] = self.crl.next_update.strftime(TIMESTAMP_FORMAT) + result['last_update'] = get_last_update(self.crl).strftime(TIMESTAMP_FORMAT) + result['next_update'] = get_next_update(self.crl).strftime(TIMESTAMP_FORMAT) result['digest'] = cryptography_oid_to_name(cryptography_get_signature_algorithm_oid_from_crl(self.crl)) issuer = [] for attribute in self.crl.issuer: