From 087edefb0fdb10d87a2218d48acb63eb2b9e370e Mon Sep 17 00:00:00 2001
From: Mikael Arguedas <mikael.arguedas@gmail.com>
Date: Wed, 8 May 2024 13:33:44 +0200
Subject: [PATCH 1/3] mark timezone explicitly in datetime strings

Signed-off-by: Mikael Arguedas <mikael.arguedas@gmail.com>
---
 .../policy/templates/dds/permissions.xsl      |  4 +--
 .../permissions/add_two_ints/permissions.xml  |  8 +++---
 .../minimal_action/permissions.xml            |  8 +++---
 .../permissions/sample/permissions.xml        | 28 +++++++++----------
 .../single_context/permissions.xml            |  4 +--
 .../talker_listener/permissions.xml           |  8 +++---
 6 files changed, 30 insertions(+), 30 deletions(-)

diff --git a/sros2/sros2/policy/templates/dds/permissions.xsl b/sros2/sros2/policy/templates/dds/permissions.xsl
index e99f535a..8aabf625 100644
--- a/sros2/sros2/policy/templates/dds/permissions.xsl
+++ b/sros2/sros2/policy/templates/dds/permissions.xsl
@@ -6,8 +6,8 @@
  <xsl:output omit-xml-declaration="yes" indent="yes"/>
  <xsl:strip-space elements="*"/>
 
-<xsl:param name="not_valid_before" select="'2020-05-01T00:00:00'"/>
-<xsl:param name="not_valid_after" select="'2030-05-01T00:00:00'"/>
+<xsl:param name="not_valid_before" select="'2020-05-01T00:00:00+00:00'"/>
+<xsl:param name="not_valid_after" select="'2030-05-01T00:00:00+00:00'"/>
 
 <xsl:variable name="template_validity">
   <validity>
diff --git a/sros2/test/policies/permissions/add_two_ints/permissions.xml b/sros2/test/policies/permissions/add_two_ints/permissions.xml
index f8f5a6dc..89ee47ab 100644
--- a/sros2/test/policies/permissions/add_two_ints/permissions.xml
+++ b/sros2/test/policies/permissions/add_two_ints/permissions.xml
@@ -3,8 +3,8 @@
     <grant name="/add_two_ints/add_two_ints_server">
       <subject_name>CN=/add_two_ints/add_two_ints_server</subject_name>
       <validity>
-        <not_before>2020-05-01T00:00:00</not_before>
-        <not_after>2030-05-01T00:00:00</not_after>
+        <not_before>2020-05-01T00:00:00+00:00</not_before>
+        <not_after>2030-05-01T00:00:00+00:00</not_after>
       </validity>
       <allow_rule>
         <domains>
@@ -56,8 +56,8 @@
     <grant name="/add_two_ints/add_two_ints_client">
       <subject_name>CN=/add_two_ints/add_two_ints_client</subject_name>
       <validity>
-        <not_before>2020-05-01T00:00:00</not_before>
-        <not_after>2030-05-01T00:00:00</not_after>
+        <not_before>2020-05-01T00:00:00+00:00</not_before>
+        <not_after>2030-05-01T00:00:00+00:00</not_after>
       </validity>
       <allow_rule>
         <domains>
diff --git a/sros2/test/policies/permissions/minimal_action/permissions.xml b/sros2/test/policies/permissions/minimal_action/permissions.xml
index be2153b1..2e5ca734 100644
--- a/sros2/test/policies/permissions/minimal_action/permissions.xml
+++ b/sros2/test/policies/permissions/minimal_action/permissions.xml
@@ -3,8 +3,8 @@
     <grant name="/minimal_action/minimal_action_server">
       <subject_name>CN=/minimal_action/minimal_action_server</subject_name>
       <validity>
-        <not_before>2020-05-01T00:00:00</not_before>
-        <not_after>2030-05-01T00:00:00</not_after>
+        <not_before>2020-05-01T00:00:00+00:00</not_before>
+        <not_after>2030-05-01T00:00:00+00:00</not_after>
       </validity>
       <allow_rule>
         <domains>
@@ -64,8 +64,8 @@
     <grant name="/minimal_action/minimal_action_client">
       <subject_name>CN=/minimal_action/minimal_action_client</subject_name>
       <validity>
-        <not_before>2020-05-01T00:00:00</not_before>
-        <not_after>2030-05-01T00:00:00</not_after>
+        <not_before>2020-05-01T00:00:00+00:00</not_before>
+        <not_after>2030-05-01T00:00:00+00:00</not_after>
       </validity>
       <allow_rule>
         <domains>
diff --git a/sros2/test/policies/permissions/sample/permissions.xml b/sros2/test/policies/permissions/sample/permissions.xml
index 9400c4a8..5686a0e5 100644
--- a/sros2/test/policies/permissions/sample/permissions.xml
+++ b/sros2/test/policies/permissions/sample/permissions.xml
@@ -3,8 +3,8 @@
     <grant name="/talker_listener/talker">
       <subject_name>CN=/talker_listener/talker</subject_name>
       <validity>
-        <not_before>2020-05-01T00:00:00</not_before>
-        <not_after>2030-05-01T00:00:00</not_after>
+        <not_before>2020-05-01T00:00:00+00:00</not_before>
+        <not_after>2030-05-01T00:00:00+00:00</not_after>
       </validity>
       <allow_rule>
         <domains>
@@ -57,8 +57,8 @@
     <grant name="/talker_listener/listener">
       <subject_name>CN=/talker_listener/listener</subject_name>
       <validity>
-        <not_before>2020-05-01T00:00:00</not_before>
-        <not_after>2030-05-01T00:00:00</not_after>
+        <not_before>2020-05-01T00:00:00+00:00</not_before>
+        <not_after>2030-05-01T00:00:00+00:00</not_after>
       </validity>
       <allow_rule>
         <domains>
@@ -111,8 +111,8 @@
     <grant name="/add_two_ints/add_two_ints_server">
       <subject_name>CN=/add_two_ints/add_two_ints_server</subject_name>
       <validity>
-        <not_before>2020-05-01T00:00:00</not_before>
-        <not_after>2030-05-01T00:00:00</not_after>
+        <not_before>2020-05-01T00:00:00+00:00</not_before>
+        <not_after>2030-05-01T00:00:00+00:00</not_after>
       </validity>
       <allow_rule>
         <domains>
@@ -166,8 +166,8 @@
     <grant name="/add_two_ints/add_two_ints_client">
       <subject_name>CN=/add_two_ints/add_two_ints_client</subject_name>
       <validity>
-        <not_before>2020-05-01T00:00:00</not_before>
-        <not_after>2030-05-01T00:00:00</not_after>
+        <not_before>2020-05-01T00:00:00+00:00</not_before>
+        <not_after>2030-05-01T00:00:00+00:00</not_after>
       </validity>
       <allow_rule>
         <domains>
@@ -221,8 +221,8 @@
     <grant name="/minimal_action/minimal_action_server">
       <subject_name>CN=/minimal_action/minimal_action_server</subject_name>
       <validity>
-        <not_before>2020-05-01T00:00:00</not_before>
-        <not_after>2030-05-01T00:00:00</not_after>
+        <not_before>2020-05-01T00:00:00+00:00</not_before>
+        <not_after>2030-05-01T00:00:00+00:00</not_after>
       </validity>
       <allow_rule>
         <domains>
@@ -282,8 +282,8 @@
     <grant name="/minimal_action/minimal_action_client">
       <subject_name>CN=/minimal_action/minimal_action_client</subject_name>
       <validity>
-        <not_before>2020-05-01T00:00:00</not_before>
-        <not_after>2030-05-01T00:00:00</not_after>
+        <not_before>2020-05-01T00:00:00+00:00</not_before>
+        <not_after>2030-05-01T00:00:00+00:00</not_after>
       </validity>
       <allow_rule>
         <domains>
@@ -343,8 +343,8 @@
     <grant name="/sample_policy/admin">
       <subject_name>CN=/sample_policy/admin</subject_name>
       <validity>
-        <not_before>2020-05-01T00:00:00</not_before>
-        <not_after>2030-05-01T00:00:00</not_after>
+        <not_before>2020-05-01T00:00:00+00:00</not_before>
+        <not_after>2030-05-01T00:00:00+00:00</not_after>
       </validity>
       <allow_rule>
         <domains>
diff --git a/sros2/test/policies/permissions/single_context/permissions.xml b/sros2/test/policies/permissions/single_context/permissions.xml
index b54e3c56..38c0ed35 100644
--- a/sros2/test/policies/permissions/single_context/permissions.xml
+++ b/sros2/test/policies/permissions/single_context/permissions.xml
@@ -3,8 +3,8 @@
     <grant name="/single_enclave">
       <subject_name>CN=/single_enclave</subject_name>
       <validity>
-        <not_before>2020-05-01T00:00:00</not_before>
-        <not_after>2030-05-01T00:00:00</not_after>
+        <not_before>2020-05-01T00:00:00+00:00</not_before>
+        <not_after>2030-05-01T00:00:00+00:00</not_after>
       </validity>
       <allow_rule>
         <domains>
diff --git a/sros2/test/policies/permissions/talker_listener/permissions.xml b/sros2/test/policies/permissions/talker_listener/permissions.xml
index 8f0b6166..0dcbd68a 100644
--- a/sros2/test/policies/permissions/talker_listener/permissions.xml
+++ b/sros2/test/policies/permissions/talker_listener/permissions.xml
@@ -3,8 +3,8 @@
     <grant name="/talker_listener/talker">
       <subject_name>CN=/talker_listener/talker</subject_name>
       <validity>
-        <not_before>2020-05-01T00:00:00</not_before>
-        <not_after>2030-05-01T00:00:00</not_after>
+        <not_before>2020-05-01T00:00:00+00:00</not_before>
+        <not_after>2030-05-01T00:00:00+00:00</not_after>
       </validity>
       <allow_rule>
         <domains>
@@ -57,8 +57,8 @@
     <grant name="/talker_listener/listener">
       <subject_name>CN=/talker_listener/listener</subject_name>
       <validity>
-        <not_before>2020-05-01T00:00:00</not_before>
-        <not_after>2030-05-01T00:00:00</not_after>
+        <not_before>2020-05-01T00:00:00+00:00</not_before>
+        <not_after>2030-05-01T00:00:00+00:00</not_after>
       </validity>
       <allow_rule>
         <domains>

From 6c5f80099ba0c7e9bdc5a6c1ec7332802d8d207c Mon Sep 17 00:00:00 2001
From: Mikael Arguedas <mikael.arguedas@gmail.com>
Date: Wed, 8 May 2024 13:41:26 +0200
Subject: [PATCH 2/3] use timezone aware datetime, remove -1 day hack in
 validity

Python 3.8 compatible because windows

Signed-off-by: Mikael Arguedas <mikael.arguedas@gmail.com>
---
 sros2/sros2/_utilities.py                     |  7 ++-----
 sros2/sros2/keystore/_permission.py           | 11 ++++++++--
 .../security/verbs/test_create_enclave.py     | 20 ++++++++++++-------
 3 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/sros2/sros2/_utilities.py b/sros2/sros2/_utilities.py
index f35442f4..06a32d83 100644
--- a/sros2/sros2/_utilities.py
+++ b/sros2/sros2/_utilities.py
@@ -80,17 +80,14 @@ def build_key_and_cert(subject_name, *, ca=False, ca_key=None, issuer_name=''):
     else:
         extension = x509.BasicConstraints(ca=False, path_length=None)
 
-    utcnow = datetime.datetime.utcnow()
+    utcnow = datetime.datetime.now(datetime.timezone.utc)
     builder = x509.CertificateBuilder(
         ).issuer_name(
             issuer_name
         ).serial_number(
             x509.random_serial_number()
         ).not_valid_before(
-            # Using a day earlier here to prevent Connext (5.3.1) from complaining
-            # when extracting it from the permissions file and thinking it's in the future
-            # https://github.com/ros2/ci/pull/436#issuecomment-624874296
-            utcnow - datetime.timedelta(days=1)
+            utcnow
         ).not_valid_after(
             # TODO: This should not be hard-coded
             utcnow + datetime.timedelta(days=3650)
diff --git a/sros2/sros2/keystore/_permission.py b/sros2/sros2/keystore/_permission.py
index 47c10bd8..eb2f20db 100644
--- a/sros2/sros2/keystore/_permission.py
+++ b/sros2/sros2/keystore/_permission.py
@@ -75,8 +75,15 @@ def create_permission_file(path: pathlib.Path, domain_id, policy_element) -> Non
 
     cert_path = path.parent.joinpath('cert.pem')
     cert_content = _utilities.load_cert(cert_path)
-    kwargs['not_valid_before'] = etree.XSLT.strparam(cert_content.not_valid_before.isoformat())
-    kwargs['not_valid_after'] = etree.XSLT.strparam(cert_content.not_valid_after.isoformat())
+    # TODO replace "not_valid_before"/"not_valid_after" functions by
+    # "not_valid_before_utc"/"not_valid_after_utc"
+    # once cryptography 42 is supported on all target platforms
+    kwargs['not_valid_before'] = etree.XSLT.strparam(
+        cert_content.not_valid_before.replace(tzinfo=datetime.timezone.utc).isoformat()
+    )
+    kwargs['not_valid_after'] = etree.XSLT.strparam(
+        cert_content.not_valid_after.replace(tzinfo=datetime.timezone.utc).isoformat()
+    )
 
     if get_rmw_implementation_identifier() in _RMW_WITH_ROS_GRAPH_INFO_TOPIC:
         kwargs['allow_ros_discovery_topic'] = etree.XSLT.strparam('1')
diff --git a/sros2/test/sros2/commands/security/verbs/test_create_enclave.py b/sros2/test/sros2/commands/security/verbs/test_create_enclave.py
index bed0c740..2489377c 100644
--- a/sros2/test/sros2/commands/security/verbs/test_create_enclave.py
+++ b/sros2/test/sros2/commands/security/verbs/test_create_enclave.py
@@ -123,13 +123,19 @@ def test_cert_pem(enclave_keys_dir):
     assert isinstance(cert.signature_hash_algorithm, hashes.SHA256)
 
     # Verify the cert is valid for the expected timespan
-    utcnow = datetime.datetime.utcnow()
-
-    # Using a day earlier here to prevent Connext (5.3.1) from complaining
-    # when extracting it from the permissions file and thinking it's in the future
-    # https://github.com/ros2/ci/pull/436#issuecomment-624874296
-    assert _datetimes_are_close(cert.not_valid_before, utcnow - datetime.timedelta(days=1))
-    assert _datetimes_are_close(cert.not_valid_after, utcnow + datetime.timedelta(days=3650))
+    utcnow = datetime.datetime.now(datetime.timezone.utc)
+
+    # TODO replace "not_valid_before"/"not_valid_after" functions by
+    # "not_valid_before_utc"/"not_valid_after_utc"
+    # once cryptography 42 is supported on all target platforms
+    assert _datetimes_are_close(
+        cert.not_valid_before.replace(tzinfo=datetime.timezone.utc),
+        utcnow
+    )
+    assert _datetimes_are_close(
+        cert.not_valid_after.replace(tzinfo=datetime.timezone.utc),
+        utcnow + datetime.timedelta(days=3650)
+    )
 
     # Verify that the cert ensures this key cannot be used to sign others as a CA
     assert len(cert.extensions) == 1

From 03a1e3e12443c12ddac197a51f8b84d6c2f7e8d7 Mon Sep 17 00:00:00 2001
From: Mikael Arguedas <mikael.arguedas@gmail.com>
Date: Wed, 8 May 2024 15:26:44 +0200
Subject: [PATCH 3/3] missing import

Signed-off-by: Mikael Arguedas <mikael.arguedas@gmail.com>
---
 sros2/sros2/keystore/_permission.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sros2/sros2/keystore/_permission.py b/sros2/sros2/keystore/_permission.py
index eb2f20db..2026b4f2 100644
--- a/sros2/sros2/keystore/_permission.py
+++ b/sros2/sros2/keystore/_permission.py
@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import datetime
 import os
 import pathlib