CRL verify: handle "Remove from CRL" status as not revoked (#1028)
Per RFC 5280 section 6.3.3 (k): https://tools.ietf.org/html/rfc5280#section-6.3.3
This commit is contained in:
parent
9d7fc9db8c
commit
1287c3dc4a
@ -79,6 +79,15 @@ def crl_verify(cert_path):
|
||||
|
||||
for r in crl:
|
||||
if cert.serial == r.serial_number:
|
||||
try:
|
||||
reason = r.extensions.get_extension_for_class(x509.CRLReason).value
|
||||
# Handle "removeFromCRL" revoke reason as unrevoked; continue with the next distribution point.
|
||||
# Per RFC 5280 section 6.3.3 (k): https://tools.ietf.org/html/rfc5280#section-6.3.3
|
||||
if reason == x509.ReasonFlags.remove_from_crl:
|
||||
break
|
||||
except x509.ExtensionNotFound:
|
||||
pass
|
||||
|
||||
return
|
||||
|
||||
return True
|
||||
|
Loading…
Reference in New Issue
Block a user