[API Proposal]: X509Certificate2.NotBeforeUtc/NotAfterUtc

[meziantou]

Background and motivation

X509Certificate2.NotBefore and X509Certificate2.NotAfter are local datetime as mentioned in the documentation. There is no UTC equivalent.
Other APIs have both. For instance, File.GetLastAccessTime() and File.GetLastAccessTimeUtc()

When using intellisense, when I see both properties, I know without reading the documentation what is the expected format.
Devs may expect the wrong datetime kind when comparing certificate validity (local time vs utc). For instance, certificate.NotBefore >= DateTime.UtcNow. Having 2 properties make it easier to avoid the error.

API Proposal

namespace System.Security.Cryptography.X509Certificates;

public class X509Certificate2
{
    public DateTime NotAfterUtc { get; }
    public DateTime NotBeforeUtc { get; }
}

API Usage

X509Certificate2 certificate = ...;
_ = certificate.NotBeforeUtc;

Alternative Designs

I can use extension members to add these members

static class X509CertificateExtensions
{
    extension(X509Certificate2 certificate)
    {
        public DateTime NotAfterUtc => certificate.NotBefore.ToUniversalTime();
        public DateTime NotBeforeUtc => certificate.NotBefore.ToUniversalTime();
    }
}

Risks

No response

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[Clockwork-Muse]

Maybe better to use a DateTimeOffset instead?