Switch to datetime-aware properties

nabla-c0d3 · nabla-c0d3 · commit bc18d570f53a · 2024-02-27T10:29:47.000+01:00
diff --git a/sslyze/mozilla_tls_profile/mozilla_config_checker.py b/sslyze/mozilla_tls_profile/mozilla_config_checker.py
@@ -323,7 +323,7 @@ def _check_certificates(
         deployed_signature_algorithms.add(leaf_cert.signature_algorithm_oid._name)  # type: ignore
 
         # Validate the cert's lifespan
-        leaf_cert_lifespan = leaf_cert.not_valid_after - leaf_cert.not_valid_before
+        leaf_cert_lifespan = leaf_cert.not_valid_after_utc - leaf_cert.not_valid_before_utc
         if leaf_cert_lifespan.days > mozilla_config.maximum_certificate_lifespan:
             issues_with_certificates["maximum_certificate_lifespan"] = (
                 f"Certificate life span is {leaf_cert_lifespan.days} days,"
diff --git a/sslyze/plugins/certificate_info/_symantec.py b/sslyze/plugins/certificate_info/_symantec.py
@@ -1,5 +1,5 @@
 import binascii
-from datetime import datetime
+from datetime import datetime, timezone
 from enum import Enum
 from typing import List, Optional
 
@@ -116,7 +116,7 @@ def get_distrust_timeline(
         distrust_enum = None
         if has_blacklisted_cert and not has_whitelisted_cert:
             leaf_cert = verified_certificate_chain[0]
-            if leaf_cert.not_valid_before < datetime(year=2016, month=6, day=1):
+            if leaf_cert.not_valid_before_utc < datetime(year=2016, month=6, day=1, tzinfo=timezone.utc):
                 distrust_enum = SymantecDistrustTimelineEnum.MARCH_2018
             else:
                 distrust_enum = SymantecDistrustTimelineEnum.SEPTEMBER_2018
diff --git a/sslyze/plugins/certificate_info/json_output.py b/sslyze/plugins/certificate_info/json_output.py
@@ -187,8 +187,8 @@ def _handle_object(cls, data: Any) -> Any:
             fingerprint_sha1=b64encode(certificate.fingerprint(hashes.SHA1())).decode("ascii"),
             fingerprint_sha256=b64encode(certificate.fingerprint(hashes.SHA256())).decode("ascii"),
             serial_number=certificate.serial_number,
-            not_valid_before=certificate.not_valid_before,
-            not_valid_after=certificate.not_valid_after,
+            not_valid_before=certificate.not_valid_before_utc,
+            not_valid_after=certificate.not_valid_after_utc,
             subject_alternative_name=_SubjAltNameAsJson(
                 dns_names=subj_alt_name_ext.dns_names,
                 ip_addresses=subj_alt_name_ext.ip_addresses,
