Fix: use aware datetime object everywhere (with tzinfo)

Cosmian · Apr 2, 2024 · c700ccc · c700ccc
1 parent 375c5da
commit c700ccc
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 17 deletions.
diff --git a/src/intel_sgx_ra/attest.py b/src/intel_sgx_ra/attest.py
@@ -2,7 +2,7 @@
 
 import json
 import logging
-from datetime import datetime
+from datetime import datetime, timezone
 from hashlib import sha256
 from typing import Any, Dict, Literal, Optional, Tuple, Union, cast
 
@@ -61,7 +61,7 @@ def verify_pck_chain(
         True if success, raise exception otherwise.
 
     """
-    now: datetime = datetime.utcnow()
+    now: datetime = datetime.now(timezone.utc)
 
     pck_ca_pk, root_ca_pk = (
         cast(ec.EllipticCurvePublicKey, pck_ca_cert.public_key()),
@@ -74,11 +74,11 @@ def verify_pck_chain(
     pck_cert.verify_directly_issued_by(pck_ca_cert)
 
     # Check expiration date of certificates
-    if not root_ca_cert.not_valid_before <= now <= root_ca_cert.not_valid_after:
+    if not root_ca_cert.not_valid_before_utc <= now <= root_ca_cert.not_valid_after_utc:
         raise CertificateError("Intel Root CA certificate has expired")
-    if not pck_ca_cert.not_valid_before <= now <= pck_ca_cert.not_valid_after:
+    if not pck_ca_cert.not_valid_before_utc <= now <= pck_ca_cert.not_valid_after_utc:
         raise CertificateError("Intel PCK CA certificate has expired")
-    if not pck_cert.not_valid_before <= now <= pck_cert.not_valid_after:
+    if not pck_cert.not_valid_before_utc <= now <= pck_cert.not_valid_after_utc:
         raise CertificateError("Intel PCK certificate has expired")
 
     # Check Intel Root CA signed Intel Root CA CRL and not revoked
@@ -149,13 +149,17 @@ def verify_tcb(
     .. [1] https://api.portal.trustedservices.intel.com/documentation#pcs-tcb-info-model-v3
 
     """  # noqa: E501 # pylint: disable=line-too-long
-    now: datetime = datetime.utcnow()
+    now: datetime = datetime.now(timezone.utc)
 
     tcb: Dict[str, Any] = json.loads(tcb_info)
 
+    next_update: datetime = datetime.fromisoformat(
+        # replace zero designator Z for the zero UTC offset (not parsed in Python 3.8)
+        tcb["tcbInfo"]["nextUpdate"].replace("Z", "+00:00")
+    )
     assert tcb["tcbInfo"]["version"] == 3
     assert tcb["tcbInfo"]["id"] == "SGX"
-    assert now < datetime.strptime(tcb["tcbInfo"]["nextUpdate"], "%Y-%m-%dT%H:%M:%SZ")
+    assert now < next_update
 
     root_ca_pk = cast(ec.EllipticCurvePublicKey, root_ca_cert.public_key())
 
@@ -164,9 +168,9 @@ def verify_tcb(
     tcb_cert.verify_directly_issued_by(root_ca_cert)
 
     # Check expiration date of certificates
-    if not root_ca_cert.not_valid_before <= now <= root_ca_cert.not_valid_after:
+    if not root_ca_cert.not_valid_before_utc <= now <= root_ca_cert.not_valid_after_utc:
         raise CertificateError("Intel Root CA certificate has expired")
-    if not tcb_cert.not_valid_before <= now <= tcb_cert.not_valid_after:
+    if not tcb_cert.not_valid_before_utc <= now <= tcb_cert.not_valid_after_utc:
         raise CertificateError("Intel TCB certificate has expired")
 
     try:

diff --git a/tests/test_pccs.py b/tests/test_pccs.py
@@ -1,4 +1,4 @@
-from datetime import datetime
+from datetime import datetime, timezone
 
 from cryptography import x509
 from cryptography.hazmat.primitives.asymmetric import ec
@@ -8,7 +8,7 @@
 
 def test_root_ca(data_path, pccs_url):
     quote: Quote = Quote.from_bytes((data_path / "quote.dat").read_bytes())
-    now = datetime.now()
+    now = datetime.now(timezone.utc)
 
     _, _, root_ca_cert = [
         x509.load_pem_x509_certificate(raw_cert)
@@ -20,7 +20,7 @@ def test_root_ca(data_path, pccs_url):
         root_ca_cert.tbs_certificate_bytes,
         ec.ECDSA(root_ca_cert.signature_hash_algorithm),
     ) is None
-    assert root_ca_cert.not_valid_before <= now <= root_ca_cert.not_valid_after
+    assert root_ca_cert.not_valid_before_utc <= now <= root_ca_cert.not_valid_after_utc
 
     root_ca_crl = get_root_ca_crl(pccs_url)
 
@@ -30,7 +30,7 @@ def test_root_ca(data_path, pccs_url):
 
 def test_pck_ca(data_path, pccs_url):
     quote: Quote = Quote.from_bytes((data_path / "quote.dat").read_bytes())
-    now = datetime.now()
+    now = datetime.now(timezone.utc)
 
     _, pck_ca_cert, root_ca_cert = [
         x509.load_pem_x509_certificate(raw_cert)
@@ -43,7 +43,7 @@ def test_pck_ca(data_path, pccs_url):
         pck_ca_cert.tbs_certificate_bytes,
         ec.ECDSA(pck_ca_cert.signature_hash_algorithm),
     ) is None
-    assert pck_ca_cert.not_valid_before <= now <= pck_ca_cert.not_valid_after
+    assert pck_ca_cert.not_valid_before_utc <= now <= pck_ca_cert.not_valid_after_utc
 
     common_name, *_ = pck_ca_cert.subject.get_attributes_for_oid(
         x509.NameOID.COMMON_NAME
@@ -60,7 +60,7 @@ def test_pck_ca(data_path, pccs_url):
 
 def test_pck(data_path, pccs_url):
     quote: Quote = Quote.from_bytes((data_path / "quote.dat").read_bytes())
-    now = datetime.now()
+    now = datetime.now(timezone.utc)
 
     pck_cert, pck_ca_cert, root_ca_cert = [
         x509.load_pem_x509_certificate(raw_cert)
@@ -74,8 +74,8 @@ def test_pck(data_path, pccs_url):
         pck_cert.tbs_certificate_bytes,
         ec.ECDSA(pck_cert.signature_hash_algorithm),
     ) is None
-    assert pck_cert.not_valid_before <= now <= pck_cert.not_valid_after
+    assert pck_cert.not_valid_before_utc <= now <= pck_cert.not_valid_after_utc
 
     tcb_info, _root_ca_cert, tcb_cert = get_qe_identity(pccs_url)
     assert _root_ca_cert == root_ca_cert
-    assert tcb_cert.not_valid_before <= now <= tcb_cert.not_valid_after
+    assert tcb_cert.not_valid_before_utc <= now <= tcb_cert.not_valid_after_utc