search

m32 / endesive

en-crypt, de-crypt, si-gn, ve-rify - smime, pdf, xades and plain files in pure python
MIT License
241 stars 93 forks source link

HSMTests.test_create after 2040-01-04 #173

Closed bmwiedemann closed 1 month ago

bmwiedemann commented 1 month ago

While working on reproducible builds for openSUSE (sponsored by the NLnet NGI0 fund), I found that our python-endesive 2.17.2 package fails a test after 2040-01-04.

Background: As part of my work on reproducible builds for openSUSE, I check that software still gives identical build results in the future. The usual offset is +16 years, because that is how long I expect some software will be used in some places. This showed up failing tests in our package build.


   =================================== FAILURES ===================================
    _____________________________ HSMTests.test_create _____________________________

    self = <tests.test_hsm.HSMTests testMethod=test_create>

        def test_create(self):
            cls = HSM(dllpath)
            cls.create("endesieve", "secret1", "secret2")
            cls.login("endesieve", "secret1")
            try:
    >           cls.main()

    tests/test_hsm.py:120:
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    tests/test_hsm.py:50: in main
        self.ca_gen(label, cakeyID, 'hsm CA')
    endesive/hsm.py:298: in ca_gen
        der_bytes = self.certsign(1, pubKey, subject, until, privKey, True)
    endesive/hsm.py:192: in certsign
        "not_after": asn1x509.Time(
    /usr/lib/python3.10/site-packages/asn1crypto/core.py:1165: in __init__
        raise e
    /usr/lib/python3.10/site-packages/asn1crypto/core.py:1157: in __init__
        value = spec(value, **params)
    /usr/lib/python3.10/site-packages/asn1crypto/core.py:1677: in __init__
        raise e
    /usr/lib/python3.10/site-packages/asn1crypto/core.py:1669: in __init__
        self.set(value)
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

    self = <[TypeError("object of type 'NoneType' has no len()") raised in repr()] UTCTime object at 0x7f519a4af1c0>
    value = datetime.datetime(2050, 10, 17, 1, 26, 29, 413433, tzinfo=<asn1crypto.util._UtcWithDst object at 0x7f519b8668c0>)

        def set(self, value):
            """
            Sets the value of the object

            :param value:
                A unicode string or a datetime.datetime object

            :raises:
                ValueError - when an invalid value is passed
            """

            if isinstance(value, datetime):
                if not value.tzinfo:
                    raise ValueError('Must be timezone aware')

                # Convert value to UTC.
                value = value.astimezone(utc_with_dst)

                if not 1950 <= value.year <= 2049:
    >               raise ValueError('Year of the UTCTime is not in range [1950, 2049], use GeneralizedTime instead')
    E               ValueError: Year of the UTCTime is not in range [1950, 2049], use GeneralizedTime instead
    E                   while constructing asn1crypto.core.UTCTime
    E                   while constructing asn1crypto.x509.Time

    /usr/lib/python3.10/site-packages/asn1crypto/core.py:5018: ValueError
    =============================== warnings summary ===============================
    tests/test_email.py::EMAILTests::test_email_ssl_encrypt_cms
    tests/test_email.py::EMAILTests::test_email_ssl_encrypt_cms_oaep
      /home/abuild/rpmbuild/BUILD/endesive-2.17.2/endesive/email/decrypt.py:71: CryptographyDeprecationWarning: TripleDES has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be removed from this module in 48.0.0.
        algorithms.TripleDES(udata),

    -- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
    =========================== short test summary info ============================
    FAILED tests/test_hsm.py::HSMTests::test_create - ValueError: Year of the UTC...
    ============ 1 failed, 36 passed, 2 deselected, 2 warnings in 6.73s ============
m32 commented 1 month ago

I added a fix in hsm.py, please run your test on the current version from git

bmwiedemann commented 1 month ago

I tested with commit 47f751ad877e45d7954fdead5482ad164ae8f8b5 and it fixes the tests. That was fast. Thanks a lot.

bmwiedemann commented 1 month ago

One hint, though: If this was my project, I would want nicer commit messages. E.g. read https://cbea.ms/git-commit/

Especially imagine reading that commit in 10y and wondering "Why?" (was this changed)

m32 commented 1 month ago

thx