replace expires in generate_ocsp_key with not_after

ca/django_ca/models.py

@@ -806,10 +806,12 @@ def sign(
 
         return signed_cert
 
+    @deprecate_argument("expires", RemovedInDjangoCA230Warning, replacement="not_after")
     def generate_ocsp_key(  # pylint: disable=too-many-locals
         self,
         key_backend_options: BaseModel,
         profile: str = "ocsp",
+        not_after: Optional[Union[datetime, timedelta]] = None,
         expires: Optional[Union[datetime, timedelta]] = None,
         algorithm: Optional[AllowedHashTypes] = None,
         key_size: Optional[int] = None,
@@ -832,6 +834,10 @@ def generate_ocsp_key(  # pylint: disable=too-many-locals
 
             `RFC 6960: Online Certificate Status Protocol - OCSP <https://www.rfc-editor.org/rfc/rfc6960>`_
 
+        .. deprecated:: 2.1.0
+
+           The ``expires`` parameter is deprecated and will be removed in django-ca 2.3.0. use ``not_after``
+           instead.
 
         .. versionchanged:: 1.26.0
 
@@ -851,7 +857,7 @@ def generate_ocsp_key(  # pylint: disable=too-many-locals
             Options required for using the private key of the certificate authority.
         profile : str, optional
             The profile to use for generating the certificate. The default is ``"ocsp"``.
-        expires : int or datetime, optional
+        not_after : int or datetime, optional
             Number of days or datetime when this certificate expires. The default is ``3`` (OCSP certificates
             are usually renewed frequently).
         algorithm : :py:class:`~cg:cryptography.hazmat.primitives.hashes.HashAlgorithm`, optional
@@ -875,6 +881,11 @@ def generate_ocsp_key(  # pylint: disable=too-many-locals
             expire within :ref:`CA_OCSP_RESPONDER_CERTIFICATE_RENEWAL
             <settings-ca-ocsp-responder-certificate-renewal>`.
         """
+        if not_after is not None and expires is not None:
+            raise ValueError("`not_before` and `expires` cannot both be set.")
+        if expires is not None:
+            not_after = expires
+
         now = datetime.now(tz=tz.utc)
 
         if force is False:
@@ -890,8 +901,8 @@ def generate_ocsp_key(  # pylint: disable=too-many-locals
                     log.info("%s: OCSP responder certificate is not yet scheduled for renewal.")
                     return None
 
-        if expires is None:
-            expires = now + timedelta(days=self.ocsp_responder_key_validity)
+        if not_after is None:
+            not_after = now + timedelta(days=self.ocsp_responder_key_validity)
 
         safe_serial = self.serial.replace(":", "")
 
@@ -950,7 +961,7 @@ def generate_ocsp_key(  # pylint: disable=too-many-locals
             subject=subject,
             algorithm=algorithm,
             autogenerated=autogenerated,
-            not_after=expires,
+            not_after=not_after,
             add_ocsp_url=False,
         )
 

ca/django_ca/tasks.py

@@ -166,7 +166,7 @@ def generate_ocsp_key(
     value = ca.generate_ocsp_key(
         key_backend_options=key_backend_options_model,
         profile=parameters.profile,
-        expires=parameters.not_after,
+        not_after=parameters.not_after,
         algorithm=parameters.algorithm,
         key_size=parameters.key_size,
         key_type=parameters.key_type,

ca/django_ca/tests/models/test_certificate_authority.py

@@ -557,6 +557,32 @@ def test_force_regenerate_ocsp_responder_certificate(usable_root: CertificateAut
         assert cert_renewed.serial != cert.serial
 
 
+def test_regenerate_ocsp_key_with_deprecated_expires(usable_root: CertificateAuthority) -> None:
+    """Test calling generate_ocsp_key() with deprecated expires parameter."""
+    not_after = datetime.now(tz=timezone.utc) + model_settings.CA_DEFAULT_EXPIRES + timedelta(days=3)
+    warning = (
+        r"^Argument `expires` is deprecated and will be removed in django-ca 2.3, use `not_after` instead\.$"
+    )
+    with pytest.warns(RemovedInDjangoCA230Warning, match=warning):
+        _, _, certificate = usable_root.generate_ocsp_key(  # type: ignore[misc]
+            key_backend_options, expires=not_after
+        )
+    assert certificate.not_after == not_after.replace(second=0, microsecond=0)
+
+
+def test_regenerate_ocsp_key_with_not_after_and_expires(root: CertificateAuthority) -> None:
+    """Test calling generate_ocsp_key() with both not_after and (deprecated) expires, which is an error."""
+    not_after = datetime.now(tz=timezone.utc) + model_settings.CA_DEFAULT_EXPIRES + timedelta(days=3)
+    warning = (
+        r"^Argument `expires` is deprecated and will be removed in django-ca 2.3, use `not_after` instead\.$"
+    )
+    with (
+        pytest.warns(RemovedInDjangoCA230Warning, match=warning),
+        pytest.raises(ValueError, match=r"^`not_before` and `expires` cannot both be set\.$"),
+    ):
+        root.generate_ocsp_key(key_backend_options, not_after=not_after, expires=not_after)
+
+
 def test_empty_extensions_for_certificate(root: CertificateAuthority) -> None:
     """Test extensions_for_certificate property when no values are set."""
     root.sign_certificate_policies = None

docs/source/changelog/TBR_2.1.0.rst

@@ -18,6 +18,7 @@ Python API
   affected:
 
   * :func:`django_ca.models.CertificateAuthority.sign`
+  * :func:`django_ca.models.CertificateAuthority.generate_ocsp_key`
   * :func:`django_ca.managers.CertificateAuthorityManager.init`
   * :func:`django_ca.managers.CertificateManager.create_cert`
   * :func:`django_ca.profiles.Profile.create_cert`

docs/source/deprecation.rst

@@ -13,6 +13,7 @@ Python API
   (deprecated since 2.1.0). The following functions are affected:
 
   * :func:`django_ca.models.CertificateAuthority.sign`
+  * :func:`django_ca.models.CertificateAuthority.generate_ocsp_key`
   * :func:`django_ca.managers.CertificateAuthorityManager.init`
   * :func:`django_ca.managers.CertificateManager.create_cert`
   * :func:`django_ca.profiles.Profile.create_cert`