Documentation is misleading about when get_notBefore and get_notAfter return None

[davidben]

The docs for get_notBefore and get_notAfter say:

A timestamp string, or None if there is none.
https://pyopenssl.org/en/stable/api/crypto.html#OpenSSL.crypto.X509.get_notAfter

But there is no such thing as a certificate without a notBefore or notAfter. They're not optional fields. What can happen is that the string is invalid, if the underlying OpenSSL's parser defers rejecting bad time values. So perhaps it should say "or None if the timestamp could not be parsed" or something like that.

[reaperhulk]

Bafflingly we appear to have this as a special case in _get_asn1_time with:

if _lib.ASN1_STRING_length(string_timestamp) == 0:
   return None

I believe an empty ASN.1 UTCTime/GeneralizedTime is definitionally invalid since time objects require specific formats, so it seems like we should really just be raising an exception here...

[davidben]

That occurred to me, but I wasn't sure if it would be backwards-compatible to add an exception where there wasn't one. :-) Maybe if you did it at parse time? (Or if the underlying library did it at parse time...)

[reaperhulk]

Does OpenSSL perform any validation whatsoever here? I would assume it will just give you whatever the contents are, be it a valid ASN.1 UTC/GeneralizedTime, an empty byte string, or otherwise. So "32Z" would be a potential "valid" response here since this API doesn't attempt to be safe at all 😬