tiny_ca.ca_factory.utils.life_time module¶

Stateless utilities for computing and inspecting X.509 certificate validity periods.

All methods are @staticmethod; the class carries no instance state and exists purely as a logical namespace. It can be used from any module without instantiation.

class tiny_ca.ca_factory.utils.life_time.CertLifetime[source]¶

Bases: object

Stateless helper that computes and inspects X.509 certificate validity windows.

All operations are pure functions (no side effects, no shared state) and are therefore safe to call from multiple threads simultaneously.

Use this class to: - Compute a (not_before, not_after) pair for a new certificate. - Extract the not_valid_after / not_valid_before timestamps from an

existing certificate as timezone-aware UTC datetime objects.

static compute(valid_from=None, days_valid=365)[source]¶

Calculate the (not_before, not_after) validity interval for a new certificate.

If valid_from is None the current UTC time is used as the start of the interval. The end of the interval is valid_from plus days_valid calendar days.

The result is validated to ensure the computed end date has not already passed (which would produce an immediately-invalid certificate).

Parameters:

valid_from (datetime | None) – Start of the validity period as a timezone-aware datetime. Pass None to use datetime.now(timezone.utc) automatically.
days_valid (int) – Number of calendar days the certificate should remain valid. Default: 365 (one year).

Returns:

(not_before, not_after) both expressed in UTC with tzinfo=timezone.utc.

Return type:

tuple[datetime, datetime]

Raises:

InvalidRangeTimeCertificate – If the computed not_after is earlier than the current UTC time, meaning the certificate would be expired immediately upon issuance.

Examples

>>> start, end = CertLifetime.compute(days_valid=90)
>>> assert (end - start).days == 90

async static compute_async(valid_from=None, days_valid=365)[source]¶

Async version of compute().

Configures the calculations in the thread pool so as not to block the event loop.

Parameters:

valid_from (datetime | None)
hour. (The beginning of the window of action (UTC). None → exact UTC)
days_valid (int)
instructions (Calendar days are trivial. For)

Return type:

tuple[datetime, datetime]

Returns:

tuple[datetime, datetime]
(not_before, not_after) in UTC.

Raises:

InvalidRangeTimeCertificate –
The date of completion was calculated as already in the past. –

Examples

>>> start, end = await CertLifetime.compute_async(days_valid=90)
>>> assert (end - start).days == 90

static normalize_dt(dt)[source]¶

Ensure dt is a timezone-aware UTC datetime.

SQLAlchemy’s DateTime column stores naive datetimes (no tzinfo). This helper centralises the normalisation so that lifecycle managers never duplicate the if dt.tzinfo is None guard inline.

Parameters:: dt (datetime) – Any datetime object, aware or naive.
Returns:: The same instant expressed as a UTC-aware datetime. If dt already carries tzinfo, it is returned unchanged. If dt is naive it is assumed to represent UTC and tzinfo is attached via .replace(tzinfo=UTC).
Return type:: datetime

Examples

>>> naive = datetime(2025, 1, 1, 12, 0, 0)
>>> CertLifetime.normalize_dt(naive).tzinfo is UTC
True

static valid_from(cert)[source]¶

Return the activation timestamp of cert as a timezone-aware UTC datetime.

Wraps cert.not_valid_before_utc and ensures the returned value always carries tzinfo=timezone.utc for safe comparison with other aware datetimes.

Parameters:: cert (x509.Certificate) – The certificate whose activation date should be read.
Returns:: cert.not_valid_before_utc with tzinfo explicitly set to timezone.utc.
Return type:: datetime

async static valid_from_async(cert)[source]¶

Async version valid_from().

Parameters:

cert (x509.Certificate)
certificate (The)
read. (the date of the beginning of each one needs to be)

Return type:

datetime

Returns:

datetime
cert.not_valid_before_utc with tzinfo=UTC.

static valid_to(cert)[source]¶

Return the expiry timestamp of cert as a timezone-aware UTC datetime.

Wraps cert.not_valid_after_utc and ensures the returned value always carries tzinfo=timezone.utc for safe comparison with other aware datetimes.

Parameters:: cert (x509.Certificate) – The certificate whose expiry date should be read.
Returns:: cert.not_valid_after_utc with tzinfo explicitly set to timezone.utc.
Return type:: datetime

async static valid_to_async(cert)[source]¶

Async version valid_to().

Parameters:

cert (x509.Certificate)
read. (The certificate and the date of completion must be)

Return type:

datetime

Returns:

datetime
cert.not_valid_after_utc with tzinfo=UTC.