CRL verify: handle "Remove from CRL" status as not revoked (#1028)
Per RFC 5280 section 6.3.3 (k): https://tools.ietf.org/html/rfc5280#section-6.3.3
This commit is contained in:
parent
9d7fc9db8c
commit
1287c3dc4a
|
@ -79,6 +79,15 @@ def crl_verify(cert_path):
|
||||||
|
|
||||||
for r in crl:
|
for r in crl:
|
||||||
if cert.serial == r.serial_number:
|
if cert.serial == r.serial_number:
|
||||||
|
try:
|
||||||
|
reason = r.extensions.get_extension_for_class(x509.CRLReason).value
|
||||||
|
# Handle "removeFromCRL" revoke reason as unrevoked; continue with the next distribution point.
|
||||||
|
# Per RFC 5280 section 6.3.3 (k): https://tools.ietf.org/html/rfc5280#section-6.3.3
|
||||||
|
if reason == x509.ReasonFlags.remove_from_crl:
|
||||||
|
break
|
||||||
|
except x509.ExtensionNotFound:
|
||||||
|
pass
|
||||||
|
|
||||||
return
|
return
|
||||||
|
|
||||||
return True
|
return True
|
||||||
|
|
Loading…
Reference in New Issue