From 1752d32e7c8b5e239ab914ed6acf950bb8278e3a Mon Sep 17 00:00:00 2001 From: Mikael Arguedas Date: Wed, 8 May 2024 13:41:26 +0200 Subject: [PATCH] use timezone aware datetime, remove -1 day hack in validity Python 3.8 compatible because windows Signed-off-by: Mikael Arguedas --- sros2/sros2/_utilities.py | 7 ++----- sros2/sros2/keystore/_permission.py | 11 ++++++++-- .../security/verbs/test_create_enclave.py | 20 ++++++++++++------- 3 files changed, 24 insertions(+), 14 deletions(-) diff --git a/sros2/sros2/_utilities.py b/sros2/sros2/_utilities.py index f35442f4..06a32d83 100644 --- a/sros2/sros2/_utilities.py +++ b/sros2/sros2/_utilities.py @@ -80,17 +80,14 @@ def build_key_and_cert(subject_name, *, ca=False, ca_key=None, issuer_name=''): else: extension = x509.BasicConstraints(ca=False, path_length=None) - utcnow = datetime.datetime.utcnow() + utcnow = datetime.datetime.now(datetime.timezone.utc) builder = x509.CertificateBuilder( ).issuer_name( issuer_name ).serial_number( x509.random_serial_number() ).not_valid_before( - # Using a day earlier here to prevent Connext (5.3.1) from complaining - # when extracting it from the permissions file and thinking it's in the future - # https://github.com/ros2/ci/pull/436#issuecomment-624874296 - utcnow - datetime.timedelta(days=1) + utcnow ).not_valid_after( # TODO: This should not be hard-coded utcnow + datetime.timedelta(days=3650) diff --git a/sros2/sros2/keystore/_permission.py b/sros2/sros2/keystore/_permission.py index 47c10bd8..eb2f20db 100644 --- a/sros2/sros2/keystore/_permission.py +++ b/sros2/sros2/keystore/_permission.py @@ -75,8 +75,15 @@ def create_permission_file(path: pathlib.Path, domain_id, policy_element) -> Non cert_path = path.parent.joinpath('cert.pem') cert_content = _utilities.load_cert(cert_path) - kwargs['not_valid_before'] = etree.XSLT.strparam(cert_content.not_valid_before.isoformat()) - kwargs['not_valid_after'] = etree.XSLT.strparam(cert_content.not_valid_after.isoformat()) + # TODO replace "not_valid_before"/"not_valid_after" functions by + # "not_valid_before_utc"/"not_valid_after_utc" + # once cryptography 42 is supported on all target platforms + kwargs['not_valid_before'] = etree.XSLT.strparam( + cert_content.not_valid_before.replace(tzinfo=datetime.timezone.utc).isoformat() + ) + kwargs['not_valid_after'] = etree.XSLT.strparam( + cert_content.not_valid_after.replace(tzinfo=datetime.timezone.utc).isoformat() + ) if get_rmw_implementation_identifier() in _RMW_WITH_ROS_GRAPH_INFO_TOPIC: kwargs['allow_ros_discovery_topic'] = etree.XSLT.strparam('1') diff --git a/sros2/test/sros2/commands/security/verbs/test_create_enclave.py b/sros2/test/sros2/commands/security/verbs/test_create_enclave.py index bed0c740..2489377c 100644 --- a/sros2/test/sros2/commands/security/verbs/test_create_enclave.py +++ b/sros2/test/sros2/commands/security/verbs/test_create_enclave.py @@ -123,13 +123,19 @@ def test_cert_pem(enclave_keys_dir): assert isinstance(cert.signature_hash_algorithm, hashes.SHA256) # Verify the cert is valid for the expected timespan - utcnow = datetime.datetime.utcnow() - - # Using a day earlier here to prevent Connext (5.3.1) from complaining - # when extracting it from the permissions file and thinking it's in the future - # https://github.com/ros2/ci/pull/436#issuecomment-624874296 - assert _datetimes_are_close(cert.not_valid_before, utcnow - datetime.timedelta(days=1)) - assert _datetimes_are_close(cert.not_valid_after, utcnow + datetime.timedelta(days=3650)) + utcnow = datetime.datetime.now(datetime.timezone.utc) + + # TODO replace "not_valid_before"/"not_valid_after" functions by + # "not_valid_before_utc"/"not_valid_after_utc" + # once cryptography 42 is supported on all target platforms + assert _datetimes_are_close( + cert.not_valid_before.replace(tzinfo=datetime.timezone.utc), + utcnow + ) + assert _datetimes_are_close( + cert.not_valid_after.replace(tzinfo=datetime.timezone.utc), + utcnow + datetime.timedelta(days=3650) + ) # Verify that the cert ensures this key cannot be used to sign others as a CA assert len(cert.extensions) == 1