Add +/- 1 second tolerance for clock adjustments (#1481)

crlorentzen · Craig Lorentzen · web-flow · commit f72218efff8a · 2026-03-16T17:59:06.000-04:00
* Add +/- 1 second tolerance for clock adjustmens

* Fix E501 Line too long (107 &gt; 79)

* simplify and standardize est_gmtime_adj

* Fix utc_now()

* fix: remove extra utcnow() call

---------

Co-authored-by: Craig Lorentzen &lt;crlorent@amazon.com&gt;
diff --git a/tests/test_crypto.py b/tests/test_crypto.py
@@ -1995,16 +1995,17 @@ def test_gmtime_adj_notBefore(self) -> None:
         current time plus the number of seconds passed in.
         """
         cert = load_certificate(FILETYPE_PEM, self.pemData)
-        not_before_min = utcnow().replace(microsecond=0) + timedelta(
-            seconds=100
-        )
+        utc_now = utcnow().replace(microsecond=0)
+        # -1 second tolerance for clock adjustments
+        not_before_min = utc_now + timedelta(seconds=99)
         cert.gmtime_adj_notBefore(100)
         not_before_str = cert.get_notBefore()
         assert not_before_str is not None
         not_before = datetime.strptime(
             not_before_str.decode(), "%Y%m%d%H%M%SZ"
         )
-        not_before_max = utcnow() + timedelta(seconds=100)
+        # +1 second tolerance for clock adjustments
+        not_before_max = utc_now + timedelta(seconds=101)
         assert not_before_min <= not_before <= not_before_max
 
     def test_gmtime_adj_notAfter_wrong_args(self) -> None:
@@ -2023,14 +2024,15 @@ def test_gmtime_adj_notAfter(self) -> None:
         to be the current time plus the number of seconds passed in.
         """
         cert = load_certificate(FILETYPE_PEM, self.pemData)
-        not_after_min = utcnow().replace(microsecond=0) + timedelta(
-            seconds=100
-        )
+        utc_now = utcnow().replace(microsecond=0)
+        # -1 second tolerance for clock adjustments
+        not_after_min = utc_now + timedelta(seconds=99)
         cert.gmtime_adj_notAfter(100)
         not_after_str = cert.get_notAfter()
         assert not_after_str is not None
         not_after = datetime.strptime(not_after_str.decode(), "%Y%m%d%H%M%SZ")
-        not_after_max = utcnow() + timedelta(seconds=100)
+        # +1 second tolerance for clock adjustments
+        not_after_max = utc_now + timedelta(seconds=101)
         assert not_after_min <= not_after <= not_after_max
 
     def test_has_expired(self) -> None:
