Handle no expire date in X509.has_expire() (#1083)

get_notAfter() can return None.

Instead of raising a NoneType error, raise a ValueError which tells
us why it failed.

2 files changed, 12 insertions, 1 deletions

diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py
index 8dec9a6..7f95d20 100644
--- a/src/OpenSSL/crypto.py
+++ b/src/OpenSSL/crypto.py
@@ -1367,7 +1367,10 @@ class X509:
         :return: ``True`` if the certificate has expired, ``False`` otherwise.
         :rtype: bool
         """
-        time_string = self.get_notAfter().decode("utf-8")
+        time_string = self.get_notAfter()
+        if time_string is None:
+            raise ValueError("Unable to determine notAfter")
+        time_string = time_string.decode("utf-8")
         not_after = datetime.datetime.strptime(time_string, "%Y%m%d%H%M%SZ")
 
         return not_after < datetime.datetime.utcnow()
diff --git a/tests/test_crypto.py b/tests/test_crypto.py
index ea89f6c..8c19030 100644
--- a/tests/test_crypto.py
+++ b/tests/test_crypto.py
@@ -1968,6 +1968,14 @@ class TestX509(_PKeyInteractionTestsMixin):
         cert.gmtime_adj_notAfter(2)
         assert not cert.has_expired()
 
+    def test_has_expired_exception(self):
+        """
+        `X509.has_expired` throws ValueError if not-after time is not set
+        """
+        cert = X509()
+        with pytest.raises(ValueError):
+            cert.has_expired()
+
     def test_root_has_not_expired(self):
         """
         `X509.has_expired` returns `False` if the certificate's not-after time