From cb3f55076e194babd79d2f3a0df654627608f491 Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Sun, 21 Jul 2024 13:04:13 +0200
Subject: [PATCH] Support InvalidityDate.invalidity_date_utc. (#730)

---
 changelogs/fragments/730-cryptography-invalidity_date.yml | 2 ++
 plugins/module_utils/crypto/cryptography_crl.py           | 8 +++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/fragments/730-cryptography-invalidity_date.yml

diff --git a/changelogs/fragments/730-cryptography-invalidity_date.yml b/changelogs/fragments/730-cryptography-invalidity_date.yml
new file mode 100644
index 00000000..c356aaf4
--- /dev/null
+++ b/changelogs/fragments/730-cryptography-invalidity_date.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - When using cryptography >= 43.0.0, use offset-aware ``datetime.datetime`` objects (with timezone UTC) instead of offset-naive UTC timestamps for the ``InvalidityDate`` X.509 CRL extension (https://github.com/ansible-collections/community.crypto/issues/726, https://github.com/ansible-collections/community.crypto/pull/730).
diff --git a/plugins/module_utils/crypto/cryptography_crl.py b/plugins/module_utils/crypto/cryptography_crl.py
index 8ef0d65d..254252aa 100644
--- a/plugins/module_utils/crypto/cryptography_crl.py
+++ b/plugins/module_utils/crypto/cryptography_crl.py
@@ -8,7 +8,10 @@ from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 
 
+from ansible_collections.community.crypto.plugins.module_utils.version import LooseVersion as _LooseVersion
+
 try:
+    import cryptography
     from cryptography import x509
 except ImportError:
     # Error handled in the calling module.
@@ -32,6 +35,8 @@ from ._obj2txt import (
 #       to True and adjust get_invalidity_date() accordingly.
 #       (https://github.com/pyca/cryptography/issues/10818)
 CRYPTOGRAPHY_TIMEZONE_INVALIDITY_DATE = False
+if HAS_CRYPTOGRAPHY:
+    CRYPTOGRAPHY_TIMEZONE_INVALIDITY_DATE = _LooseVersion(cryptography.__version__) >= _LooseVersion('43.0.0')
 
 TIMESTAMP_FORMAT = "%Y%m%d%H%M%SZ"
 
@@ -139,7 +144,8 @@ def get_revocation_date(obj):
 
 
 def get_invalidity_date(obj):
-    # TODO: special handling if CRYPTOGRAPHY_TIMEZONE_INVALIDITY_DATE is True
+    if CRYPTOGRAPHY_TIMEZONE_INVALIDITY_DATE:
+        return obj.invalidity_date_utc
     return obj.invalidity_date