From ede8e17cdeb1e5ec22d86ae0938d55cb83626a01 Mon Sep 17 00:00:00 2001
From: Alex Baker <alexander_j_baker@apple.com>
Date: Fri, 29 May 2026 21:19:51 -0700
Subject: [PATCH] Updating Python to support validity with SKEW checking with
 cryptography 43 methods

---
 appstoreserverlibrary/signed_data_verifier.py | 6 ++++++
 pyproject.toml                                | 2 +-
 requirements.txt                              | 2 +-
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/appstoreserverlibrary/signed_data_verifier.py b/appstoreserverlibrary/signed_data_verifier.py
index f56440a7..944fee55 100644
--- a/appstoreserverlibrary/signed_data_verifier.py
+++ b/appstoreserverlibrary/signed_data_verifier.py
@@ -179,6 +179,7 @@ def _decode_signed_object(self, signed_obj: str) -> dict:
 class _ChainVerifier:
     MAXIMUM_CACHE_SIZE = 32 # There are unlikely to be more than a couple keys at once
     CACHE_TIME_LIMIT = 15 * 60 # 15 minutes
+    MAX_SKEW = datetime.timedelta(seconds=60) # Allowable clock skew when validating OCSP response dates
 
     def __init__(self, root_certificates: List[bytes], enable_strict_checks=True):
         self.enable_strict_checks = enable_strict_checks
@@ -327,11 +328,16 @@ def check_ocsp_status(self, cert: crypto.X509, issuer: crypto.X509, root: crypto
                             cert.to_cryptography(), issuer.to_cryptography(), single_response.hash_algorithm
                         )
                         req = builder.build()
+                        now = datetime.datetime.now(datetime.timezone.utc)
                         if (
                             single_response.certificate_status == ocsp.OCSPCertStatus.GOOD
                             and single_response.serial_number == req.serial_number
                             and single_response.issuer_key_hash == req.issuer_key_hash
                             and single_response.issuer_name_hash == req.issuer_name_hash
+                            and single_response.this_update_utc is not None
+                            and now + _ChainVerifier.MAX_SKEW >= single_response.this_update_utc
+                            and single_response.next_update_utc is not None
+                            and single_response.next_update_utc >= now - _ChainVerifier.MAX_SKEW
                         ):
                             # Success
                             return
diff --git a/pyproject.toml b/pyproject.toml
index c3b54b82..79be72fd 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -18,7 +18,7 @@ dependencies = [
     "attrs>=21.3.0",
     "PyJWT>=2.6.0,<3",
     "requests>=2.28.0,<3",
-    "cryptography>=40.0.0",
+    "cryptography>=43.0.0",
     "pyOpenSSL>=23.1.1",
     "asn1==3.2.0",
     "cattrs>=23.1.2",
diff --git a/requirements.txt b/requirements.txt
index 81519baf..caa730f1 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,7 +1,7 @@
 attrs >= 21.3.0
 PyJWT >= 2.6.0, < 3
 requests >= 2.28.0, < 3
-cryptography >= 40.0.0
+cryptography >= 43.0.0
 pyOpenSSL >= 23.1.1
 asn1==3.2.0
 cattrs >= 23.1.2