Return a timezone aware datetime object when cryptography >= 42

rkoopmans · rkoopmans · commit 54d5611966e9 · 2025-03-28T08:29:33.000+01:00
diff --git a/cert_chain_resolver/models.py b/cert_chain_resolver/models.py
@@ -135,14 +135,20 @@ def signature_hash_algorithm(self):
     @property
     def not_valid_before(self):
         # type: () -> datetime.datetime
-        """Date from the underlying :py:class:`cryptography.x509.Certificate` object"""
-        return self._x509.not_valid_before
+        """Date from the underlying :py:class:`cryptography.x509.Certificate` object. returns the UTC version if cryptography version is 42.0 or higher"""
+        if hasattr(self._x509, 'not_valid_before_utc'):
+            return self._x509.not_valid_before_utc
+        else:
+            return self._x509.not_valid_before
 
     @property
     def not_valid_after(self):
         # type: () -> datetime.datetime
-        """Date from the underlying :py:class:`cryptography.x509.Certificate` object"""
-        return self._x509.not_valid_after
+        """Date from the underlying :py:class:`cryptography.x509.Certificate` object. returns the UTC version if cryptography version is 42.0 or higher"""
+        if hasattr(self._x509, 'not_valid_after_utc'):
+            return self._x509.not_valid_after_utc
+        else:
+            return self._x509.not_valid_after
 
     @property
     def fingerprint(self):
diff --git a/tests/_utils.py b/tests/_utils.py
@@ -0,0 +1,9 @@
+import cryptography
+import datetime
+
+CRYPTOGRAPHY_MAJOR = int(cryptography.__version__.split(".")[0])
+
+def make_utc_aware_if_cryptography_above_42(dt):
+    if CRYPTOGRAPHY_MAJOR >= 42:
+        return dt.replace(tzinfo=datetime.timezone.utc)
+    return dt
diff --git a/tests/test_cli.py b/tests/test_cli.py
@@ -6,6 +6,7 @@
 
 from cert_chain_resolver.cli import cli, main, parse_args
 from cert_chain_resolver.castore.file_system import FileSystemStore
+from tests._utils import CRYPTOGRAPHY_MAJOR
 from .fixtures import BUNDLE_FIXTURES, certfixture_to_id
 
 try:
@@ -146,8 +147,8 @@ def test_display_flag_is_properly_formatted(capsys):
         """== Certificate #1 ==
 Subject:            CN=github.com,O=GitHub\\, Inc.,L=San Francisco,ST=California,C=US
 Issuer:             CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
-NotBefore:          2020-05-05T00:00:00
-NotAfter:           2022-05-10T12:00:00
+NotBefore:          2020-05-05T00:00:00{tz}
+NotAfter:           2022-05-10T12:00:00{tz}
 Serial:             7101927171473588541993819712332065657
 Sha256Fingeprint:   b6b9a6af3e866cbe0e6a307e7dda173b372b2d3ac3f06af15f97718773848008
 CAIssuerLoc:        http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
@@ -162,8 +163,8 @@ def test_display_flag_is_properly_formatted(capsys):
 == Certificate #2 ==
 Subject:            CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
 Issuer:             CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
-NotBefore:          2013-10-22T12:00:00
-NotAfter:           2028-10-22T12:00:00
+NotBefore:          2013-10-22T12:00:00{tz}
+NotAfter:           2028-10-22T12:00:00{tz}
 Serial:             6489877074546166222510380951761917343
 Sha256Fingeprint:   19400be5b7a31fb733917700789d2f0a2471c0c9d506c0e504c06c16d7cb17c0
 
@@ -173,7 +174,7 @@ def test_display_flag_is_properly_formatted(capsys):
   Common name:      DigiCert SHA2 High Assurance Server CA
 
 """
-    )
+    ).format(tz="+00:00" if CRYPTOGRAPHY_MAJOR > 42 else "")
 
     assert expected == captured
 
diff --git a/tests/test_models.py b/tests/test_models.py
@@ -9,6 +9,8 @@
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
 from cryptography.exceptions import InvalidSignature
+from ._utils import make_utc_aware_if_cryptography_above_42
+
 
 
 try:
@@ -51,8 +53,8 @@ def test_certcontainer_x509_helper_props(cert):
     assert fixture["ca"] == c.is_ca
     assert fixture["serial"] == c.serial
     assert fixture["signature_algorithm"] == c.signature_hash_algorithm
-    assert fixture["not_before"] == c.not_valid_before
-    assert fixture["not_after"] == c.not_valid_after
+    assert make_utc_aware_if_cryptography_above_42(fixture["not_before"]) == c.not_valid_before
+    assert make_utc_aware_if_cryptography_above_42(fixture["not_after"]) == c.not_valid_after
     assert fixture["fingerprint_sha256"] == c.fingerprint
     assert fixture["ca_issuer_access_location"] == c.ca_issuer_access_location
 
