Closed francois4224 closed 3 months ago
Hi, it seems that timezone is not handled correctly in ocsp response object.
From spec https://www.rfc-editor.org/rfc/rfc6960#section-4.2.2.1, it should be always in Greenwich Mean Time, but datetime from Cryptography is not timezone aware.
Where in the RFC do you see Greenwich Mean Time?
revocation_time
returns a naïve object which we define in the docs to be UTC. We should probably add a revocation_time_utc
which returns a tz-aware object, as we've done with others like this as Python slowly deprecates näive objects.
For now, if you need to do a comparsion you can either strip tzinfo off your other dt object or use object.revocation_time.replace(tzinfo=datetime.utc)
Good catch Paul. Francois, would you be interested in submitting a PR to
add revocation_time_utc
?
https://github.com/pyca/cryptography/commit/ce94de03e8feca67388529671cd366d23c966f58
is a model for what this looks like
On Thu, Jun 27, 2024 at 8:13 AM Paul Kehrer @.***> wrote:
revocation_time returns a naïve object which we define in the docs to be UTC. We should probably add a revocation_time_utc which returns a tz-aware object, as we've done with others like this as Python slowly deprecates näive objects.
— Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/11170#issuecomment-2194526333, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBET6TPXQ2FQGHLG6RDZJP6WDAVCNFSM6AAAAABJ7SHELSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJUGUZDMMZTGM . You are receiving this because you commented.Message ID: @.***>
-- All that is necessary for evil to succeed is for good people to do nothing.
I just stumbled upon this myself, so I can take a look, if @francois4224 hasn't started on it.
Feel free! It's possible we've missed other _utc
variants that are needed as well, but if you're going to submit a PR you can look at how we've done the deprecation and implementation previously https://github.com/pyca/cryptography/blob/85fba50add6b7129898f69d69a2338475de2aae5/src/rust/src/x509/certificate.rs#L198-L233