Merge remote-tracking branch 'origin/master' into black

.github/dependabot.yml

@@ -3,7 +3,7 @@ updates:
 - package-ecosystem: pip
   directory: "/"
   schedule:
-    interval: weekly
+    interval: monthly
   open-pull-requests-limit: 10
   versioning-strategy: lockfile-only
   allow:

docs-requirements.txt

@@ -4,17 +4,17 @@
 #
 #    pip-compile --resolver=backtracking docs-requirements.in
 #
-alabaster==0.7.13
+alabaster==0.7.16
     # via sphinx
-babel==2.12.1
+babel==2.14.0
     # via sphinx
-certifi==2023.7.22
+certifi==2023.11.17
     # via requests
-cffi==1.15.1
+cffi==1.16.0
     # via cryptography
-charset-normalizer==3.2.0
+charset-normalizer==3.3.2
     # via requests
-cryptography==41.0.3
+cryptography==41.0.7
     # via -r docs-requirements.in
 docutils==0.20.1
     # via sphinx
@@ -28,36 +28,31 @@ jinja2==3.1.2
     # via sphinx
 markupsafe==2.1.1
     # via jinja2
-packaging==23.1
+packaging==23.2
     # via sphinx
 pycparser==2.21
     # via cffi
-pygments==2.16.1
+pygments==2.17.2
     # via sphinx
 requests==2.31.0
     # via sphinx
 snowballstemmer==2.2.0
     # via sphinx
-sphinx==7.2.5
-    # via
-    #   sphinxcontrib-devhelp
-    #   sphinxcontrib-htmlhelp
-    #   sphinxcontrib-qthelp
-    #   sphinxcontrib-serializinghtml
-    #   sphinxcontrib-trio
+sphinx==7.2.6
+    # via sphinxcontrib-trio
 sphinxcontrib-applehelp==1.0.2
     # via sphinx
-sphinxcontrib-devhelp==1.0.5
+sphinxcontrib-devhelp==1.0.6
     # via sphinx
-sphinxcontrib-htmlhelp==2.0.4
+sphinxcontrib-htmlhelp==2.0.5
     # via sphinx
 sphinxcontrib-jsmath==1.0.1
     # via sphinx
-sphinxcontrib-qthelp==1.0.6
+sphinxcontrib-qthelp==1.0.7
     # via sphinx
-sphinxcontrib-serializinghtml==1.1.9
+sphinxcontrib-serializinghtml==1.1.10
     # via sphinx
 sphinxcontrib-trio==1.1.2
     # via -r docs-requirements.in
-urllib3==2.0.4
+urllib3==2.2.0
     # via requests

lint-requirements.txt

@@ -10,7 +10,7 @@ cffi==1.16.0
     # via cryptography
 click==8.1.7
     # via black
-cryptography==41.0.3
+cryptography==42.0.5
     # via
     #   -r lint-requirements.in
     #   types-pyopenssl

src/trustme/__init__.py

@@ -37,6 +37,8 @@
 # ~3001-01-19:
 #   https://github.com/pyca/cryptography/issues/3194
 DEFAULT_EXPIRY = datetime.datetime(3000, 1, 1)
+DEFAULT_NOT_BEFORE = datetime.datetime(2000, 1, 1)
+
 
 def _name(
     name: str,
@@ -68,14 +70,16 @@ def _cert_builder_common(
     issuer: x509.Name,
     public_key: CERTIFICATE_PUBLIC_KEY_TYPES,
     not_after: Optional[datetime.datetime] = None,
+    not_before: Optional[datetime.datetime] = None,
 ) -> x509.CertificateBuilder:
     not_after = not_after if not_after else DEFAULT_EXPIRY
+    not_before = not_before if not_before else DEFAULT_NOT_BEFORE
     return (
         x509.CertificateBuilder()
         .subject_name(subject)
         .issuer_name(issuer)
         .public_key(public_key)
-        .not_valid_before(datetime.datetime(2000, 1, 1))
+        .not_valid_before(not_before)
         .not_valid_after(not_after)
         .serial_number(x509.random_serial_number())
         .add_extension(
@@ -314,6 +318,7 @@ def issue_cert(
         common_name: Optional[str] = None,
         organization_name: Optional[str] = None,
         organization_unit_name: Optional[str] = None,
+        not_before: Optional[datetime.datetime] = None,
         not_after: Optional[datetime.datetime] = None,
         key_type: KeyType = KeyType.ECDSA,
     ) -> "LeafCert":
@@ -354,6 +359,9 @@ def issue_cert(
             attribute on the certificate. By default, a random one will be
             generated.
 
+          not_before: Set the validity start date (notBefore) of the certificate.
+            This argument type is `datetime.datetime`.
+
           not_after: Set the expiry date (notAfter) of the certificate. This
             argument type is `datetime.datetime`.
 
@@ -384,6 +392,7 @@ def issue_cert(
                 ),
                 self._certificate.subject,
                 key.public_key(),
+                not_before=not_before,
                 not_after=not_after,
             )
             .add_extension(

test-requirements.txt

@@ -4,13 +4,13 @@
 #
 #    pip-compile --resolver=backtracking test-requirements.in
 #
-attrs==23.1.0
+attrs==23.2.0
     # via service-identity
-cffi==1.15.1
+cffi==1.16.0
     # via cryptography
-coverage[toml]==7.3.0
+coverage[toml]==7.4.1
     # via -r test-requirements.in
-cryptography==41.0.3
+cryptography==41.0.7
     # via
     #   -r test-requirements.in
     #   pyopenssl
@@ -19,21 +19,21 @@ idna==3.4
     # via -r test-requirements.in
 iniconfig==2.0.0
     # via pytest
-packaging==23.1
+packaging==23.2
     # via pytest
-pluggy==1.3.0
+pluggy==1.4.0
     # via pytest
-pyasn1==0.5.0
+pyasn1==0.5.1
     # via
     #   pyasn1-modules
     #   service-identity
 pyasn1-modules==0.3.0
     # via service-identity
 pycparser==2.21
     # via cffi
-pyopenssl==23.2.0
+pyopenssl==24.0.0
     # via -r test-requirements.in
-pytest==7.4.1
+pytest==8.0.0
     # via -r test-requirements.in
-service-identity==23.1.0
+service-identity==24.1.0
     # via -r test-requirements.in

tests/test_trustme.py

@@ -169,6 +169,23 @@ def test_issue_cert_custom_not_after() -> None:
         assert getattr(cert.not_valid_after, t) == getattr(expires, t)
 
 
+def test_issue_cert_custom_not_before() -> None:
+    not_before = datetime.datetime(2027, 7, 5, 17, 15, 30)
+    ca = CA()
+
+    leaf_cert = ca.issue_cert(
+        "example.org",
+        organization_name="python-trio",
+        organization_unit_name="trustme",
+        not_before=not_before,
+    )
+
+    cert = x509.load_pem_x509_certificate(leaf_cert.cert_chain_pems[0].bytes())
+
+    for t in ["year", "month", "day", "hour", "minute", "second"]:
+        assert getattr(cert.not_valid_before, t) == getattr(not_before, t)
+
+
 def test_intermediate() -> None:
     ca = CA()
     ca_cert = x509.load_pem_x509_certificate(ca.cert_pem.bytes())