CRL verify: handle "Remove from CRL" status as not revoked (#1028)

Per RFC 5280 section 6.3.3 (k):
https://tools.ietf.org/html/rfc5280#section-6.3.3
This commit is contained in:
Marti Raudsepp 2018-01-02 23:39:02 +02:00 committed by kevgliss
parent 9d7fc9db8c
commit 1287c3dc4a
1 changed files with 9 additions and 0 deletions

View File

@ -79,6 +79,15 @@ def crl_verify(cert_path):
for r in crl: for r in crl:
if cert.serial == r.serial_number: if cert.serial == r.serial_number:
try:
reason = r.extensions.get_extension_for_class(x509.CRLReason).value
# Handle "removeFromCRL" revoke reason as unrevoked; continue with the next distribution point.
# Per RFC 5280 section 6.3.3 (k): https://tools.ietf.org/html/rfc5280#section-6.3.3
if reason == x509.ReasonFlags.remove_from_crl:
break
except x509.ExtensionNotFound:
pass
return return
return True return True