change approach for parsing CDP reason flags

2 files changed, 82 insertions, 18 deletions

diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 7f487d35..07e54baa 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -28,18 +28,6 @@ from cryptography.exceptions import UnsupportedAlgorithm
 from cryptography.hazmat.primitives import hashes
 
 
-_REASONFLAGS_ENUM_MAPPING = {
-    1: x509.ReasonFlags.key_compromise,
-    2: x509.ReasonFlags.ca_compromise,
-    3: x509.ReasonFlags.affiliation_changed,
-    4: x509.ReasonFlags.superseded,
-    5: x509.ReasonFlags.cessation_of_operation,
-    6: x509.ReasonFlags.certificate_hold,
-    7: x509.ReasonFlags.privilege_withdrawn,
-    8: x509.ReasonFlags.aa_compromise
-}
-
-
 def _obj2txt(backend, obj):
     # Set to 80 on the recommendation of
     # https://www.openssl.org/docs/crypto/OBJ_nid2ln.html#return_values
@@ -551,7 +539,6 @@ class _Certificate(object):
             reasons = None
             cdp = self._backend._lib.sk_DIST_POINT_value(cdps, i)
             if cdp.reasons != self._backend._ffi.NULL:
-                reasons = []
                 # We will check each bit from RFC 5280
                 # ReasonFlags ::= BIT STRING {
                 #      unused                  (0),
@@ -563,11 +550,31 @@ class _Certificate(object):
                 #      certificateHold         (6),
                 #      privilegeWithdrawn      (7),
                 #      aACompromise            (8) }
-                for bit in range(1, 9):
-                    if self._backend._lib.ASN1_BIT_STRING_get_bit(
-                        cdp.reasons, bit
-                    ):
-                        reasons.append(_REASONFLAGS_ENUM_MAPPING[bit])
+                reasons = []
+                get_bit = self._backend._lib.ASN1_BIT_STRING_get_bit
+                if get_bit(cdp.reasons, 1):
+                    reasons.append(x509.ReasonFlags.key_compromise)
+
+                if get_bit(cdp.reasons, 2):
+                    reasons.append(x509.ReasonFlags.ca_compromise)
+
+                if get_bit(cdp.reasons, 3):
+                    reasons.append(x509.ReasonFlags.affiliation_changed)
+
+                if get_bit(cdp.reasons, 4):
+                    reasons.append(x509.ReasonFlags.superseded)
+
+                if get_bit(cdp.reasons, 5):
+                    reasons.append(x509.ReasonFlags.cessation_of_operation)
+
+                if get_bit(cdp.reasons, 6):
+                    reasons.append(x509.ReasonFlags.certificate_hold)
+
+                if get_bit(cdp.reasons, 7):
+                    reasons.append(x509.ReasonFlags.privilege_withdrawn)
+
+                if get_bit(cdp.reasons, 8):
+                    reasons.append(x509.ReasonFlags.aa_compromise)
 
                 reasons = frozenset(reasons)
 
diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py
index 94b33aeb..cf698efa 100644
--- a/tests/test_x509_ext.py
+++ b/tests/test_x509_ext.py
@@ -2060,6 +2060,63 @@ class TestCRLDistributionPointsExtension(object):
             )
         ])
 
+    def test_all_reasons(self, backend):
+        cert = _load_cert(
+            os.path.join(
+                "x509", "custom", "cdp_all_reasons.pem"
+            ),
+            x509.load_pem_x509_certificate,
+            backend
+        )
+
+        cdps = cert.extensions.get_extension_for_oid(
+            x509.OID_CRL_DISTRIBUTION_POINTS
+        ).value
+
+        assert cdps == x509.CRLDistributionPoints([
+            x509.DistributionPoint(
+                full_name=[x509.UniformResourceIdentifier(
+                    u"http://domain.com/some.crl"
+                )],
+                relative_name=None,
+                reasons=frozenset([
+                    x509.ReasonFlags.key_compromise,
+                    x509.ReasonFlags.ca_compromise,
+                    x509.ReasonFlags.affiliation_changed,
+                    x509.ReasonFlags.superseded,
+                    x509.ReasonFlags.privilege_withdrawn,
+                    x509.ReasonFlags.cessation_of_operation,
+                    x509.ReasonFlags.aa_compromise,
+                    x509.ReasonFlags.certificate_hold,
+                ]),
+                crl_issuer=None
+            )
+        ])
+
+    def test_single_reason(self, backend):
+        cert = _load_cert(
+            os.path.join(
+                "x509", "custom", "cdp_reason_aa_compromise.pem"
+            ),
+            x509.load_pem_x509_certificate,
+            backend
+        )
+
+        cdps = cert.extensions.get_extension_for_oid(
+            x509.OID_CRL_DISTRIBUTION_POINTS
+        ).value
+
+        assert cdps == x509.CRLDistributionPoints([
+            x509.DistributionPoint(
+                full_name=[x509.UniformResourceIdentifier(
+                    u"http://domain.com/some.crl"
+                )],
+                relative_name=None,
+                reasons=frozenset([x509.ReasonFlags.aa_compromise]),
+                crl_issuer=None
+            )
+        ])
+
     def test_crl_issuer_only(self, backend):
         cert = _load_cert(
             os.path.join(