From 1287c3dc4a32a8758781257b986b6c61b7328716 Mon Sep 17 00:00:00 2001
From: Marti Raudsepp <marti@juffo.org>
Date: Tue, 2 Jan 2018 23:39:02 +0200
Subject: [PATCH] CRL verify: handle "Remove from CRL" status as not revoked
 (#1028)

Per RFC 5280 section 6.3.3 (k):
https://tools.ietf.org/html/rfc5280#section-6.3.3
---
 lemur/certificates/verify.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lemur/certificates/verify.py b/lemur/certificates/verify.py
index c35e6f5a..c976fecc 100644
--- a/lemur/certificates/verify.py
+++ b/lemur/certificates/verify.py
@@ -79,6 +79,15 @@ def crl_verify(cert_path):
 
         for r in crl:
             if cert.serial == r.serial_number:
+                try:
+                    reason = r.extensions.get_extension_for_class(x509.CRLReason).value
+                    # Handle "removeFromCRL" revoke reason as unrevoked; continue with the next distribution point.
+                    # Per RFC 5280 section 6.3.3 (k): https://tools.ietf.org/html/rfc5280#section-6.3.3
+                    if reason == x509.ReasonFlags.remove_from_crl:
+                        break
+                except x509.ExtensionNotFound:
+                    pass
+
                 return
 
     return True