diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 5df0a0515..913f66a20 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -15,6 +15,10 @@ Backward-incompatible changes: - Removed deprecated ``OpenSSL.SSL.Context.set_npn_advertise_callback``, ``OpenSSL.SSL.Context.set_npn_select_callback``, and ``OpenSSL.SSL.Connection.get_next_proto_negotiated``. - Drop support for Python 3.4 - Drop support for OpenSSL 1.0.1 +- Honor time zones in the ``vfy_time`` parameter to ``OpenSSL.crypto.X509Store.set_time()``, + and assume that datetimes without a time zone are in UTC instead of in local time. + `#907 `_ + `#952 `_ Deprecations: ^^^^^^^^^^^^^ diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py index 11be813ca..9ba96a99f 100644 --- a/src/OpenSSL/crypto.py +++ b/src/OpenSSL/crypto.py @@ -1660,6 +1660,11 @@ def set_time(self, vfy_time): Normally the current time is used. + The verification time can be a ``datetime`` object with or without time + zone information. A time without a time zone is assumed to be in UTC. + To avoid ambiguity, ``vfy_time`` should be a timezone-aware + ``datetime`` in the UTC time zone. + .. note:: For example, you can determine if a certificate was valid at a given @@ -1667,14 +1672,15 @@ def set_time(self, vfy_time): .. versionadded:: 17.0.0 - :param datetime vfy_time: The verification time to set on this store. + :param vfy_time: The verification time to set on this store. + :type vfy_time: :class:`datetime.datetime` :return: ``None`` if the verification time was successfully set. """ param = _lib.X509_VERIFY_PARAM_new() param = _ffi.gc(param, _lib.X509_VERIFY_PARAM_free) _lib.X509_VERIFY_PARAM_set_time( - param, calendar.timegm(vfy_time.timetuple()) + param, calendar.timegm(vfy_time.utctimetuple()) ) _openssl_assert(_lib.X509_STORE_set1_param(self._store, param) != 0)