Skip to content

Snow 2388762 crl post review fixes #2567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Snow 2388762 crl post review fixes #2567

wants to merge 2 commits into from
+90 −19

Conversation

sfc-gh-pczajka
Copy link
Collaborator

Please answer these questions before submitting your pull requests. Thanks!

  1. What GitHub issue is this PR addressing? Make sure that there is an accompanying issue to your PR.

    Fixes #NNNN

  2. Fill out the following pre-review checklist:

    • I am adding a new automated test(s) to verify correctness of my new code
    • I am adding new logging messages
    • I am adding a new telemetry message
    • I am modifying authorization mechanisms
    • I am adding new credentials
    • I am modifying OCSP code
    • I am adding a new dependency

  3. Please describe how your code solves the related issue.

    Please write a short description of how your code change solves the related issue.

  4. (Optional) PR for stored-proc connector:

@sfc-gh-pczajka sfc-gh-pczajka requested a review from a team as a code owner October 3, 2025 15:05
@sfc-gh-pczajka sfc-gh-pczajka marked this pull request as draft October 3, 2025 15:05
@sfc-gh-pczajka sfc-gh-pczajka mentioned this pull request Oct 3, 2025
Merged
2 tasks
sfc-gh-jkasten
sfc-gh-jkasten reviewed Oct 4, 2025
View reviewed changes
src/snowflake/connector/crl.py
except AttributeError:
# Fallback for older versions
issue_date = cert.not_valid_before
validity_period = cert.not_valid_after - cert.not_valid_before
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: The not_valid_after field is inclusive. This will calculate that the lifetime is 1 second shorter than it actually is. I think this falls on the safe side of the equation down below, (it will treat certificates as short-lived which are technically not).

RFC 5280 Section 4.1.2.5 text

The other thing you have to worry here is an underlying library trying to include leap seconds on you.
It is common in the WebPKI to give a little buffer and to stay away from the edges[design doc]. Competent CAs will always give a lot of breathing room away from the edges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sfc-gh-jkasten sfc-gh-jkasten sfc-gh-jkasten left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sfc-gh-pczajka @sfc-gh-jkasten