From c700ccce9a017e38bfe62bb8eaf4272a85caf9b3 Mon Sep 17 00:00:00 2001 From: grydz Date: Tue, 2 Apr 2024 16:21:16 +0400 Subject: [PATCH] Fix: use aware datetime object everywhere (with tzinfo) --- src/intel_sgx_ra/attest.py | 22 +++++++++++++--------- tests/test_pccs.py | 16 ++++++++-------- 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/src/intel_sgx_ra/attest.py b/src/intel_sgx_ra/attest.py index 4c5d32b..3cf0a14 100644 --- a/src/intel_sgx_ra/attest.py +++ b/src/intel_sgx_ra/attest.py @@ -2,7 +2,7 @@ import json import logging -from datetime import datetime +from datetime import datetime, timezone from hashlib import sha256 from typing import Any, Dict, Literal, Optional, Tuple, Union, cast @@ -61,7 +61,7 @@ def verify_pck_chain( True if success, raise exception otherwise. """ - now: datetime = datetime.utcnow() + now: datetime = datetime.now(timezone.utc) pck_ca_pk, root_ca_pk = ( cast(ec.EllipticCurvePublicKey, pck_ca_cert.public_key()), @@ -74,11 +74,11 @@ def verify_pck_chain( pck_cert.verify_directly_issued_by(pck_ca_cert) # Check expiration date of certificates - if not root_ca_cert.not_valid_before <= now <= root_ca_cert.not_valid_after: + if not root_ca_cert.not_valid_before_utc <= now <= root_ca_cert.not_valid_after_utc: raise CertificateError("Intel Root CA certificate has expired") - if not pck_ca_cert.not_valid_before <= now <= pck_ca_cert.not_valid_after: + if not pck_ca_cert.not_valid_before_utc <= now <= pck_ca_cert.not_valid_after_utc: raise CertificateError("Intel PCK CA certificate has expired") - if not pck_cert.not_valid_before <= now <= pck_cert.not_valid_after: + if not pck_cert.not_valid_before_utc <= now <= pck_cert.not_valid_after_utc: raise CertificateError("Intel PCK certificate has expired") # Check Intel Root CA signed Intel Root CA CRL and not revoked @@ -149,13 +149,17 @@ def verify_tcb( .. [1] https://api.portal.trustedservices.intel.com/documentation#pcs-tcb-info-model-v3 """ # noqa: E501 # pylint: disable=line-too-long - now: datetime = datetime.utcnow() + now: datetime = datetime.now(timezone.utc) tcb: Dict[str, Any] = json.loads(tcb_info) + next_update: datetime = datetime.fromisoformat( + # replace zero designator Z for the zero UTC offset (not parsed in Python 3.8) + tcb["tcbInfo"]["nextUpdate"].replace("Z", "+00:00") + ) assert tcb["tcbInfo"]["version"] == 3 assert tcb["tcbInfo"]["id"] == "SGX" - assert now < datetime.strptime(tcb["tcbInfo"]["nextUpdate"], "%Y-%m-%dT%H:%M:%SZ") + assert now < next_update root_ca_pk = cast(ec.EllipticCurvePublicKey, root_ca_cert.public_key()) @@ -164,9 +168,9 @@ def verify_tcb( tcb_cert.verify_directly_issued_by(root_ca_cert) # Check expiration date of certificates - if not root_ca_cert.not_valid_before <= now <= root_ca_cert.not_valid_after: + if not root_ca_cert.not_valid_before_utc <= now <= root_ca_cert.not_valid_after_utc: raise CertificateError("Intel Root CA certificate has expired") - if not tcb_cert.not_valid_before <= now <= tcb_cert.not_valid_after: + if not tcb_cert.not_valid_before_utc <= now <= tcb_cert.not_valid_after_utc: raise CertificateError("Intel TCB certificate has expired") try: diff --git a/tests/test_pccs.py b/tests/test_pccs.py index 4ee93cf..7c63bc6 100644 --- a/tests/test_pccs.py +++ b/tests/test_pccs.py @@ -1,4 +1,4 @@ -from datetime import datetime +from datetime import datetime, timezone from cryptography import x509 from cryptography.hazmat.primitives.asymmetric import ec @@ -8,7 +8,7 @@ def test_root_ca(data_path, pccs_url): quote: Quote = Quote.from_bytes((data_path / "quote.dat").read_bytes()) - now = datetime.now() + now = datetime.now(timezone.utc) _, _, root_ca_cert = [ x509.load_pem_x509_certificate(raw_cert) @@ -20,7 +20,7 @@ def test_root_ca(data_path, pccs_url): root_ca_cert.tbs_certificate_bytes, ec.ECDSA(root_ca_cert.signature_hash_algorithm), ) is None - assert root_ca_cert.not_valid_before <= now <= root_ca_cert.not_valid_after + assert root_ca_cert.not_valid_before_utc <= now <= root_ca_cert.not_valid_after_utc root_ca_crl = get_root_ca_crl(pccs_url) @@ -30,7 +30,7 @@ def test_root_ca(data_path, pccs_url): def test_pck_ca(data_path, pccs_url): quote: Quote = Quote.from_bytes((data_path / "quote.dat").read_bytes()) - now = datetime.now() + now = datetime.now(timezone.utc) _, pck_ca_cert, root_ca_cert = [ x509.load_pem_x509_certificate(raw_cert) @@ -43,7 +43,7 @@ def test_pck_ca(data_path, pccs_url): pck_ca_cert.tbs_certificate_bytes, ec.ECDSA(pck_ca_cert.signature_hash_algorithm), ) is None - assert pck_ca_cert.not_valid_before <= now <= pck_ca_cert.not_valid_after + assert pck_ca_cert.not_valid_before_utc <= now <= pck_ca_cert.not_valid_after_utc common_name, *_ = pck_ca_cert.subject.get_attributes_for_oid( x509.NameOID.COMMON_NAME @@ -60,7 +60,7 @@ def test_pck_ca(data_path, pccs_url): def test_pck(data_path, pccs_url): quote: Quote = Quote.from_bytes((data_path / "quote.dat").read_bytes()) - now = datetime.now() + now = datetime.now(timezone.utc) pck_cert, pck_ca_cert, root_ca_cert = [ x509.load_pem_x509_certificate(raw_cert) @@ -74,8 +74,8 @@ def test_pck(data_path, pccs_url): pck_cert.tbs_certificate_bytes, ec.ECDSA(pck_cert.signature_hash_algorithm), ) is None - assert pck_cert.not_valid_before <= now <= pck_cert.not_valid_after + assert pck_cert.not_valid_before_utc <= now <= pck_cert.not_valid_after_utc tcb_info, _root_ca_cert, tcb_cert = get_qe_identity(pccs_url) assert _root_ca_cert == root_ca_cert - assert tcb_cert.not_valid_before <= now <= tcb_cert.not_valid_after + assert tcb_cert.not_valid_before_utc <= now <= tcb_cert.not_valid_after_utc