PKI: Do not load revoked certificates if CRL has been disabled (#17385)
* PKI: Do not load revoked certificates if CRL has been disabled - Restore the prior behavior of not reading in all revoked certificates if the CRL has been disabled as there might be performance issues if a customer had or is still revoking a lot of certificates. * Add cl
This commit is contained in:
parent
9542cffa65
commit
bb1d36f401
|
@ -828,14 +828,20 @@ func buildAnyCRLs(sc *storageContext, forceNew bool, isDelta bool) error {
|
|||
}
|
||||
}
|
||||
|
||||
var unassignedCerts []pkix.RevokedCertificate
|
||||
var revokedCertsMap map[issuerID][]pkix.RevokedCertificate
|
||||
|
||||
// If the CRL is disabled do not bother reading in all the revoked certificates.
|
||||
if !globalCRLConfig.Disable {
|
||||
// Next, we load and parse all revoked certificates. We need to assign
|
||||
// these certificates to an issuer. Some certificates will not be
|
||||
// assignable (if they were issued by a since-deleted issuer), so we need
|
||||
// a separate pool for those.
|
||||
unassignedCerts, revokedCertsMap, err := getRevokedCertEntries(sc, issuerIDCertMap, isDelta)
|
||||
unassignedCerts, revokedCertsMap, err = getRevokedCertEntries(sc, issuerIDCertMap, isDelta)
|
||||
if err != nil {
|
||||
return fmt.Errorf("error building CRLs: unable to get revoked certificate entries: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
if err := augmentWithRevokedIssuers(issuerIDEntryMap, issuerIDCertMap, revokedCertsMap); err != nil {
|
||||
return fmt.Errorf("error building CRLs: unable to parse revoked issuers: %v", err)
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
```release-note:bug
|
||||
secrets/pki: Do not read revoked certificates from backend when CRL is disabled
|
||||
```
|
Loading…
Reference in New Issue