Open
Description
Version:
cryptography-44.0.2
Hello, developer. I parsed a CRL file with the certificate_issuer extension but without the IDP extension using cryptography, and there was no error. However,
RFC 5280 states that only CRL files with the indirect_crl flag set to True in the IDP extension require the certificate_issuer extension.
Is this a problem?
Test Case:
crl_IDP_noIndirect_certIssuer.zip
Code:
from cryptography.x509 import load_pem_x509_crl, load_der_x509_crl
from cryptography.x509 import ExtensionNotFound
import sys
def load_crl(file_path):
with open(file_path, "rb") as f:
crl_data = f.read()
try:
crl = load_pem_x509_crl(crl_data)
except ValueError:
crl = load_der_x509_crl(crl_data)
return crl
def print_crl_issuer(file_path):
crl=load_crl(file_path)
try:
for entry in crl:
print(f"Serial Number: {entry.serial_number}")
print(f"Revocation Date: {entry.revocation_date_utc}")
if entry.extensions:
for ext in entry.extensions:
if ext.oid ==x509.oid.CRLEntryExtensionOID.CRL_REASON:
print(f"reason: {ext.value.reason}")
if ext.oid ==x509.oid.CRLEntryExtensionOID.CERTIFICATE_ISSUER:
print(f"reason: {ext.value}")
except Exception as e:
print(f"Error occurred: {e}")
file_path = 'crl_IDP_noIndirect_certIssuer.der'
print_crl_issuer(file_path)