downgrade cryptography dep and pin to v42.0.8 for now

Author: tykling

client/certgrinder/certgrinder.py

@@ -1148,17 +1148,15 @@ def check_ocsp(self) -> bool:
         # parse the OCSP response
         ocsp_response = self.load_ocsp_response(self.ocsp_response_path)
 
-        # consider the response produced_at_utc (rather than next_update_utc)
-        validity = ocsp_response.next_update_utc - ocsp_response.produced_at_utc
-        passed = (
-            datetime.datetime.now(datetime.timezone.utc) - ocsp_response.produced_at_utc
-        )
+        # consider the response produced_at (rather than next_update)
+        validity = ocsp_response.next_update - ocsp_response.produced_at
+        passed = datetime.datetime.now() - ocsp_response.produced_at
         percent = (passed / validity) * 100
         logger.debug(f"{percent} percent of OCSP response validity period has passed")
 
         if percent > self.conf["ocsp-renew-threshold-percent"]:
             logger.debug(
-                f"OCSP response is too old for keytype {self.keytype} for domainset: {self.domainset} ({round(percent,2)}% of the time between produced_at_utc and next_update_utc has passed, the limit is {self.conf['ocsp-renew-threshold-percent']}%), returning False"
+                f"OCSP response is too old for keytype {self.keytype} for domainset: {self.domainset} ({round(percent,2)}% of the time between produced_at and next_update has passed, the limit is {self.conf['ocsp-renew-threshold-percent']}%), returning False"
             )
             self.error = True
             return False
@@ -1181,10 +1179,10 @@ def show_ocsp(self) -> None:
             f"- Showing OCSP response for keytype {self.keytype} domain set: {self.domainset}"
         )
         logger.info(f"Certificate status: {ocsp_response.certificate_status}")
-        logger.info(f"This update: {ocsp_response.this_update_utc}")
-        logger.info(f"Produced at: {ocsp_response.produced_at_utc}")
-        logger.info(f"Next update: {ocsp_response.next_update_utc}")
-        logger.info(f"Revocation time: {ocsp_response.revocation_time_utc}")
+        logger.info(f"This update: {ocsp_response.this_update}")
+        logger.info(f"Produced at: {ocsp_response.produced_at}")
+        logger.info(f"Next update: {ocsp_response.next_update}")
+        logger.info(f"Revocation time: {ocsp_response.revocation_time}")
         logger.info(f"Revocation reason: {ocsp_response.revocation_reason}")
 
     @staticmethod
@@ -2146,7 +2144,7 @@ def get_parser() -> argparse.ArgumentParser:
         type=int,
         choices=range(0, 101),
         metavar="OCSP-RENEW-THRESHOLD-PERCENT",
-        help="An integer between 0 and 100 specifying the amount of time in percent between ``produced_at_utc`` and ``next_update_utc`` which must have passed before an OCSP response is considered too old. Defaults to 50.",
+        help="An integer between 0 and 100 specifying the amount of time in percent between ``produced_at`` and ``next_update`` which must have passed before an OCSP response is considered too old. Defaults to 50.",
         default=argparse.SUPPRESS,
     )
     parser.add_argument(

client/certgrinder/tests/test_certgrinder.py

@@ -310,7 +310,7 @@ def test_get_certificate(
         ), "Exit code not 1 as expected with expired ocsp response"
         assert "OCSP response not found" not in caplog.text
         assert (
-            "of the time between produced_at_utc and next_update_utc has passed, the limit is 0%"
+            "of the time between produced_at and next_update has passed, the limit is 0%"
             in caplog.text
         )
         caplog.clear()
@@ -321,7 +321,7 @@ def test_get_certificate(
         assert E.type == SystemExit, f"Exit was not as expected, it was {E.type}"
         assert E.value.code == 0, "Exit code not 0 as expected with OK ocsp response"
         assert "OCSP response not found" not in caplog.text
-        assert "was produced_at_utc more than" not in caplog.text
+        assert "was produced_at more than" not in caplog.text
 
         # we only need to test CAA once
         if certgrinderd_configfile[0] == "dns":

client/man/certgrinder.8

@@ -27,7 +27,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "CERTGRINDER" "8" "Jan 10, 2025" "" "Certgrinder"
+.TH "CERTGRINDER" "8" "Jan 26, 2025" "" "Certgrinder"
 .SH NAME
 certgrinder \- Manpage for certgrinder
 .sp
@@ -350,7 +350,7 @@ Shown above is the \fBshow tlsa\fP subcommand in action. The value supplied shou
 The \fBversion\fP command is just a shortcut for \fB\-v\fP which shows the Certgrinder version and exits.
 .SH COMMAND LINE USAGE
 .sp
-Certgrinder version 0.19.3.dev21+g93b04c2.d20250105. See the manpage or ReadTheDocs for more info.
+Certgrinder version 0.20.1.dev0+g86b074d.d20250126. See the manpage or ReadTheDocs for more info.
 
 .INDENT 0.0
 .INDENT 3.5
@@ -440,7 +440,7 @@ Run periodic command without delay. Equal to setting \-\-periodic\-sleep\-minute
 .B \-o, \-\-ocsp\-renew\-threshold\-percent
 Possible choices: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100
 .sp
-An integer between 0 and 100 specifying the amount of time in percent between \fBproduced_at_utc\fP and \fBnext_update_utc\fP which must have passed before an OCSP response is considered too old. Defaults to 50.
+An integer between 0 and 100 specifying the amount of time in percent between \fBproduced_at\fP and \fBnext_update\fP which must have passed before an OCSP response is considered too old. Defaults to 50.
 .TP
 .B \-\-path
 Tell certgrinder to use the specified directory for keys, CSRs and certificates. The directory must exist and be writeable by the user running certgrinder.

client/pyproject.toml

@@ -17,7 +17,7 @@ classifiers = [
 dependencies = [
     "dnspython == 2.7.0",
     "PyYAML == 6.0.1",
-    "cryptography == 44.0.0",
+    "cryptography == 42.0.8",
     "pid == 3.0.4",
 ]
 

conftest.py

@@ -648,10 +648,8 @@ def selfsigned_certificate(known_private_key_2):
         .issuer_name(issuer)
         .public_key(known_private_key_2.public_key())
         .serial_number(x509.random_serial_number())
-        .not_valid_before(datetime.datetime.now(datetime.timezone.utc))
-        .not_valid_after(
-            datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=10)
-        )
+        .not_valid_before(datetime.datetime.utcnow())
+        .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=10))
         .add_extension(
             x509.SubjectAlternativeName(
                 [x509.DNSName("example.com"), x509.DNSName("www.example.com")]
@@ -684,10 +682,8 @@ def signed_certificate(known_private_key, known_private_key_2):
         .issuer_name(issuer)
         .public_key(known_private_key.public_key())
         .serial_number(x509.random_serial_number())
-        .not_valid_before(datetime.datetime.now(datetime.timezone.utc))
-        .not_valid_after(
-            datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=90)
-        )
+        .not_valid_before(datetime.datetime.utcnow())
+        .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=90))
         .add_extension(
             x509.SubjectAlternativeName([x509.DNSName("example.com")]), critical=False
         )
@@ -721,10 +717,8 @@ def delegated_signer_certificate_not_signed_by_issuer(
         .issuer_name(issuer)
         .public_key(known_private_key_3.public_key())
         .serial_number(x509.random_serial_number())
-        .not_valid_before(datetime.datetime.now(datetime.timezone.utc))
-        .not_valid_after(
-            datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=90)
-        )
+        .not_valid_before(datetime.datetime.utcnow())
+        .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=90))
         .add_extension(
             x509.SubjectAlternativeName([x509.DNSName("delegatedresponder.example")]),
             critical=True,
@@ -761,10 +755,8 @@ def delegated_signer_certificate(known_private_key_3, known_private_key_2):
         .issuer_name(issuer)
         .public_key(known_private_key_3.public_key())
         .serial_number(x509.random_serial_number())
-        .not_valid_before(datetime.datetime.now(datetime.timezone.utc))
-        .not_valid_after(
-            datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=90)
-        )
+        .not_valid_before(datetime.datetime.utcnow())
+        .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=90))
         .add_extension(
             x509.SubjectAlternativeName([x509.DNSName("delegatedresponder.example")]),
             critical=True,
@@ -801,10 +793,8 @@ def delegated_signer_certificate_no_eku(known_private_key_3, known_private_key_2
         .issuer_name(issuer)
         .public_key(known_private_key_3.public_key())
         .serial_number(x509.random_serial_number())
-        .not_valid_before(datetime.datetime.now(datetime.timezone.utc))
-        .not_valid_after(
-            datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=90)
-        )
+        .not_valid_before(datetime.datetime.utcnow())
+        .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=90))
         .add_extension(
             x509.SubjectAlternativeName([x509.DNSName("delegatedresponder.example")]),
             critical=True,
@@ -837,10 +827,8 @@ def delegated_signer_certificate_no_ocsp_perm(known_private_key_3, known_private
         .issuer_name(issuer)
         .public_key(known_private_key_3.public_key())
         .serial_number(x509.random_serial_number())
-        .not_valid_before(datetime.datetime.now(datetime.timezone.utc))
-        .not_valid_after(
-            datetime.datetime.now(datetime.timezone.utc) + datetime.timedelta(days=90)
-        )
+        .not_valid_before(datetime.datetime.utcnow())
+        .not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=90))
         .add_extension(
             x509.SubjectAlternativeName([x509.DNSName("delegatedresponder.example")]),
             critical=True,

docs/certgrinder-changelog.rst

@@ -9,6 +9,14 @@ All notable changes to ``certgrinder`` will be documented in this file.
 
 This project adheres to `Semantic Versioning <http://semver.org/>`__.
 
+Unreleased
+----------
+
+Changed
+~~~~~~~
+
+- Downgrade cryptography dependency and pin to 42.0.8 for now, pending upgrade of the FreeBSD ``security/py-cryptography`` port.
+
 
 v0.20.0 (10-jan-2025)
 ---------------------

server/certgrinderd/certgrinderd.py

@@ -12,7 +12,7 @@
 import sys
 import tempfile
 import typing
-from datetime import datetime, timedelta, timezone
+from datetime import datetime, timedelta
 from importlib.metadata import PackageNotFoundError, version
 from pprint import pprint
 
@@ -622,7 +622,7 @@ def get_ocsp_response(self, certpath: typing.Optional[str]) -> ocsp.OCSPResponse
             certpath: The path of the certificate chain to get OCSP response for (optional)
 
         Returns:
-            The OCSPResponse object
+            The OCSPRequest object
         """
         assert isinstance(self.conf["expected-chain-length"], int)
         chain = self.parse_certificate_chain(certpath)
@@ -692,12 +692,10 @@ def get_ocsp_response(self, certpath: typing.Optional[str]) -> ocsp.OCSPResponse
                 logger.debug(
                     f"Certificate status: {ocsp_response_object.certificate_status}"
                 )
-                logger.debug(f"This update: {ocsp_response_object.this_update_utc}")
-                logger.debug(f"Produced at: {ocsp_response_object.produced_at_utc}")
-                logger.debug(f"Next update: {ocsp_response_object.next_update_utc}")
-                logger.debug(
-                    f"Revocation time: {ocsp_response_object.revocation_time_utc}"
-                )
+                logger.debug(f"This update: {ocsp_response_object.this_update}")
+                logger.debug(f"Produced at: {ocsp_response_object.produced_at}")
+                logger.debug(f"Next update: {ocsp_response_object.next_update}")
+                logger.debug(f"Revocation time: {ocsp_response_object.revocation_time}")
                 logger.debug(
                     f"Revocation reason: {ocsp_response_object.revocation_reason}"
                 )
@@ -809,28 +807,24 @@ def check_ocsp_response_timing(
         Returns:
             Boolean - True if all is well, False if a problem was found
         """
-        # check that this_update_utc is in the past
-        if ocsp_response.this_update_utc > datetime.now(timezone.utc) + timedelta(
-            minutes=5
-        ):
+        # check that this_update is in the past
+        if ocsp_response.this_update > datetime.utcnow() + timedelta(minutes=5):
             logger.error(
-                f"The this_update_utc parameter of the OCSP response is in the future: {ocsp_response.this_update_utc}"
+                f"The this_update parameter of the OCSP response is in the future: {ocsp_response.this_update}"
             )
             return False
 
-        # check that we have a next_update_utc attribute
-        if not ocsp_response.next_update_utc:
+        # check that we have a next_update attribute
+        if not ocsp_response.next_update:
             logger.error(
                 "OCSP response has no nextUpdate attribute. This violates RFC5019 2.2.4."
             )
             return False
 
-        # check that next_update_utc is in the future
-        if ocsp_response.next_update_utc < datetime.now(timezone.utc) - timedelta(
-            minutes=5
-        ):
+        # check that next_update is in the future
+        if ocsp_response.next_update < datetime.utcnow() - timedelta(minutes=5):
             logger.error(
-                f"The next_update_utc parameter of the OCSP response is in the past: {ocsp_response.next_update_utc}"
+                f"The next_update parameter of the OCSP response is in the past: {ocsp_response.this_update}"
             )
             return False
 
@@ -1333,7 +1327,7 @@ def main(mockargs: typing.Optional[typing.List[str]] = None) -> None:
     kwargs = {"prefix": "certgrinderd-temp-"}
     if "temp-dir" in config and config["temp-dir"]:
         kwargs["dir"] = config["temp-dir"]
-    tempdir = tempfile.TemporaryDirectory(**kwargs)
+    tempdir = tempfile.TemporaryDirectory(**kwargs)  # type: ignore[call-overload]
     config["temp-dir"] = tempdir.name
 
     # instantiate Certgrinderd class