Add warning on missing AIA info fields (#15509)

* Add warning on missing AIA info fields

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog:

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
Alexander Scheel 2022-05-19 11:12:10 -04:00 committed by GitHub
parent f31149089f
commit c7efb97f08
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 25 additions and 0 deletions

View File

@ -108,6 +108,14 @@ func (b *backend) pathGenerateIntermediate(ctx context.Context, req *logical.Req
Data: map[string]interface{}{}, Data: map[string]interface{}{},
} }
entries, err := getURLs(ctx, req)
if err == nil && len(entries.OCSPServers) == 0 && len(entries.IssuingCertificates) == 0 && len(entries.CRLDistributionPoints) == 0 {
// If the operator hasn't configured any of the URLs prior to
// generating this issuer, we should add a warning to the response,
// informing them they might want to do so and re-generate the issuer.
resp.AddWarning("This mount hasn't configured any authority access information fields; this may make it harder for systems to find missing certificates in the chain or to validate revocation status of certificates. Consider updating /config/urls with this information.")
}
switch format { switch format {
case "pem": case "pem":
resp.Data["csr"] = csrb.CSR resp.Data["csr"] = csrb.CSR

View File

@ -178,6 +178,13 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
resp.AddWarning("This issuer certificate was generated without a Subject; this makes it likely that issuing leaf certs with this certificate will cause TLS validation libraries to reject this certificate.") resp.AddWarning("This issuer certificate was generated without a Subject; this makes it likely that issuing leaf certs with this certificate will cause TLS validation libraries to reject this certificate.")
} }
if len(parsedBundle.Certificate.OCSPServer) == 0 && len(parsedBundle.Certificate.IssuingCertificateURL) == 0 && len(parsedBundle.Certificate.CRLDistributionPoints) == 0 {
// If the operator hasn't configured any of the URLs prior to
// generating this issuer, we should add a warning to the response,
// informing them they might want to do so and re-generate the issuer.
resp.AddWarning("This mount hasn't configured any authority access information fields; this may make it harder for systems to find missing certificates in the chain or to validate revocation status of certificates. Consider updating /config/urls with this information.")
}
switch format { switch format {
case "pem": case "pem":
resp.Data["certificate"] = cb.Certificate resp.Data["certificate"] = cb.Certificate
@ -368,6 +375,13 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R
resp.AddWarning("This issuer certificate was generated without a Subject; this makes it likely that issuing leaf certs with this certificate will cause TLS validation libraries to reject this certificate.") resp.AddWarning("This issuer certificate was generated without a Subject; this makes it likely that issuing leaf certs with this certificate will cause TLS validation libraries to reject this certificate.")
} }
if len(parsedBundle.Certificate.OCSPServer) == 0 && len(parsedBundle.Certificate.IssuingCertificateURL) == 0 && len(parsedBundle.Certificate.CRLDistributionPoints) == 0 {
// If the operator hasn't configured any of the URLs prior to
// generating this issuer, we should add a warning to the response,
// informing them they might want to do so and re-generate the issuer.
resp.AddWarning("This mount hasn't configured any authority access information fields; this may make it harder for systems to find missing certificates in the chain or to validate revocation status of certificates. Consider updating /config/urls with this information.")
}
switch format { switch format {
case "pem": case "pem":
resp.Data["certificate"] = cb.Certificate resp.Data["certificate"] = cb.Certificate

3
changelog/15509.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
secrets/pki: Warn on missing AIA access information when generating issuers (config/urls).
```