From fc18f7bed12f58100c3a5eef3dbae29c9a26f18a Mon Sep 17 00:00:00 2001
From: Jeff Tang <mrjefftang@users.noreply.github.com>
Date: Wed, 15 Apr 2015 17:42:33 -0400
Subject: [PATCH 1/3] OpenSSL 1.0.2 Compatibility

- Perform the time comparison in python to fix #192
- Add root cert has_expired test
- Self sign test cert to fix issue in #149
- Change test case to verify digest of a valid certficate
---
 OpenSSL/crypto.py           |  9 +++++----
 OpenSSL/test/test_crypto.py | 15 +++++++++++++--
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/OpenSSL/crypto.py b/OpenSSL/crypto.py
index c7bdabc0c..1b1058eda 100644
--- a/OpenSSL/crypto.py
+++ b/OpenSSL/crypto.py
@@ -1,5 +1,6 @@
-from time import time
+from time import time, strptime
 from base64 import b16encode
+from calendar import timegm
 from functools import partial
 from operator import __eq__, __ne__, __lt__, __le__, __gt__, __ge__
 from warnings import warn as _warn
@@ -1161,10 +1162,10 @@ def has_expired(self):
         :return: True if the certificate has expired, false otherwise
         """
         now = int(time())
-        notAfter = _lib.X509_get_notAfter(self._x509)
-        return _lib.ASN1_UTCTIME_cmp_time_t(
-            _ffi.cast('ASN1_UTCTIME*', notAfter), now) < 0
+        notAfter = self.get_notAfter().decode('utf-8')
+        notAfterSecs = timegm(strptime(notAfter, '%Y%m%d%H%M%SZ'))
 
+        return now > notAfterSecs
 
     def _get_boundary_time(self, which):
         return _get_asn1_time(which(self._x509))
diff --git a/OpenSSL/test/test_crypto.py b/OpenSSL/test/test_crypto.py
index 73e9cc7ef..b81745138 100644
--- a/OpenSSL/test/test_crypto.py
+++ b/OpenSSL/test/test_crypto.py
@@ -1562,19 +1562,29 @@ def test_has_not_expired(self):
         cert.gmtime_adj_notAfter(2)
         self.assertFalse(cert.has_expired())
 
+    def test_root_has_not_expired(self):
+        """
+        :py:obj:`X509Type.has_expired` returns :py:obj:`False` if the certificate's not-after
+        time is in the future.
+        """
+        cert = load_certificate(FILETYPE_PEM, root_cert_pem)
+        self.assertFalse(cert.has_expired())
+
 
     def test_digest(self):
         """
         :py:obj:`X509.digest` returns a string giving ":"-separated hex-encoded words
         of the digest of the certificate.
         """
-        cert = X509()
+        cert = load_certificate(FILETYPE_PEM, root_cert_pem)
         self.assertEqual(
             # This is MD5 instead of GOOD_DIGEST because the digest algorithm
             # actually matters to the assertion (ie, another arbitrary, good
             # digest will not product the same digest).
+            # Digest verified with the command:
+            # openssl x509 -in root_cert.pem -noout -fingerprint -md5
             cert.digest("MD5"),
-            b("A8:EB:07:F8:53:25:0A:F2:56:05:C5:A5:C4:C4:C7:15"))
+            b("19:B3:05:26:2B:F8:F2:FF:0B:8F:21:07:A8:28:B8:75"))
 
 
     def _extcert(self, pkey, extensions):
@@ -1587,6 +1597,7 @@ def _extcert(self, pkey, extensions):
         cert.set_notAfter(when)
 
         cert.add_extensions(extensions)
+        cert.sign(pkey, 'sha1')
         return load_certificate(
             FILETYPE_PEM, dump_certificate(FILETYPE_PEM, cert))
 

From 9142391adab91cf9b4d4ad2dd1ac4a6a3dd68103 Mon Sep 17 00:00:00 2001
From: Jeff Tang <mrjefftang@users.noreply.github.com>
Date: Wed, 15 Apr 2015 18:10:07 -0400
Subject: [PATCH 2/3] Revert out has_expired fix

---
 OpenSSL/crypto.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/OpenSSL/crypto.py b/OpenSSL/crypto.py
index 1b1058eda..dd6515e40 100644
--- a/OpenSSL/crypto.py
+++ b/OpenSSL/crypto.py
@@ -1,6 +1,5 @@
-from time import time, strptime
+from time import time 
 from base64 import b16encode
-from calendar import timegm
 from functools import partial
 from operator import __eq__, __ne__, __lt__, __le__, __gt__, __ge__
 from warnings import warn as _warn
@@ -1162,10 +1161,10 @@ def has_expired(self):
         :return: True if the certificate has expired, false otherwise
         """
         now = int(time())
-        notAfter = self.get_notAfter().decode('utf-8')
-        notAfterSecs = timegm(strptime(notAfter, '%Y%m%d%H%M%SZ'))
+        notAfter = _lib.X509_get_notAfter(self._x509)
+        return _lib.ASN1_UTCTIME_cmp_time_t(
+            _ffi.cast('ASN1_UTCTIME*', notAfter), now) < 0
 
-        return now > notAfterSecs
 
     def _get_boundary_time(self, which):
         return _get_asn1_time(which(self._x509))

From 05fe9fa224407d745993ec5692ef9b0a1313da7a Mon Sep 17 00:00:00 2001
From: Jeff Tang <mrjefftang@users.noreply.github.com>
Date: Wed, 15 Apr 2015 18:10:58 -0400
Subject: [PATCH 3/3] Remove extra space

---
 OpenSSL/crypto.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/OpenSSL/crypto.py b/OpenSSL/crypto.py
index dd6515e40..c7bdabc0c 100644
--- a/OpenSSL/crypto.py
+++ b/OpenSSL/crypto.py
@@ -1,4 +1,4 @@
-from time import time 
+from time import time
 from base64 import b16encode
 from functools import partial
 from operator import __eq__, __ne__, __lt__, __le__, __gt__, __ge__