Add fallback for Certificate.not_valid_before/after_utc

The NSSDatabase.get_cert_info() has been modified so that it will use Certificate.not_valid_before/after_utc attributes which are available since Python Cryptography 42, otherwise it will use the deprecated not_valid_before/after then convert them into UTC.
dogtagpki · Nov 4, 2024 · 16a1004 · 16a1004
1 parent 678b8d0
commit 16a1004
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 2 deletions.
diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
@@ -31,6 +31,7 @@
 import stat
 import subprocess
 import tempfile
+import datetime
 import grp
 import pwd
 
@@ -2099,8 +2100,22 @@ def get_cert_info(self, nickname, token=None):
         cert['issuer'] = pki.convert_x509_name_to_dn(cert_obj.issuer)
         cert['subject'] = pki.convert_x509_name_to_dn(cert_obj.subject)
 
-        cert['not_before'] = self.convert_time_to_millis(cert_obj.not_valid_before_utc)
-        cert['not_after'] = self.convert_time_to_millis(cert_obj.not_valid_after_utc)
+        if hasattr(cert_obj, 'not_valid_before_utc'):
+            # available since Python Cryptography 42
+            not_before = cert_obj.not_valid_before_utc
+        else:
+            # use the deprecated attribute then convert into UTC
+            not_valid_before = cert_obj.not_valid_before.replace(tzinfo=datetime.timezone.utc)
+        cert['not_before'] = self.convert_time_to_millis(not_before)
+
+        if hasattr(cert_obj, 'not_valid_after_utc'):
+            # available since Python Cryptography 42
+            not_after = cert_obj.not_valid_after_utc
+        else:
+            # use the deprecated attribute then convert into UTC
+            not_after = cert_obj.not_valid_after.replace(tzinfo=datetime.timezone.utc)
+        cert['not_after'] = self.convert_time_to_millis(not_after)
+
         cert['trust_flags'] = self.get_trust(nickname=nickname, token=token)
 
         logger.debug('NSSDatabase.get_cert_info(%s) ends', nickname)

diff --git a/docs/changes/v11.6.0/API-Changes.adoc b/docs/changes/v11.6.0/API-Changes.adoc
@@ -0,0 +1,5 @@
+= API Changes =
+
+== NSSDatabase.get_cert_info() changes ==
+
+The `NSSDatabase.get_cert_info()` has been modified to return `not_before` and `not_after` attributes in UTC timezone.