luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Remove delta indicator on main CRL (#17334) 

When adding delta CRL support, we unconditionally added the delta
indicator extension to the main CRL. We shouldn't have done this, and
instead only added it conditionally when we were building delta CRLs.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
Alexander Scheel 2022-09-27 17:44:38 -04:00 committed by GitHub
parent f463b3d3e8
commit ccdd55529c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
builtin/logical/pki/crl_test.go
View File

@ -294,6 +294,10 @@ func crlEnableDisableTestForBackend(t *testing.T, b *backend, s logical.Storage,
requireSerialNumberInCRL(t, certList, serialNum)
}
if len(certList.Extensions) > 2 {
t.Fatalf("expected up to 2 extensions on main CRL but got %v", len(certList.Extensions))
}
// Since this test assumes a complete CRL was rebuilt, we can grab
// the delta CRL and ensure it is empty.
deltaList := getParsedCrlFromBackend(t, b, s, "crl/delta").TBSCertList
@ -301,6 +305,10 @@ func crlEnableDisableTestForBackend(t *testing.T, b *backend, s logical.Storage,
if lenDeltaList != 0 {
t.Fatalf("expected zero revoked certificates on the delta CRL due to complete CRL rebuild, found %d", lenDeltaList)
}
if len(deltaList.Extensions) != len(certList.Extensions)+1 {
t.Fatalf("expected one more extensions on delta CRL than main but got %v on main vs %v on delta", len(certList.Extensions), len(deltaList.Extensions))
}
}
revoke := func(serialIndex int) {

12
builtin/logical/pki/crl_util.go
View File

@ -1269,9 +1269,13 @@ WRITE:
now := time.Now()
nextUpdate := now.Add(crlLifetime)
ext, err := certutil.CreateDeltaCRLIndicatorExt(lastCompleteNumber)
if err != nil {
return nil, fmt.Errorf("could not create crl delta indicator extension: %v", err)
var extensions []pkix.Extension
if isDelta {
ext, err := certutil.CreateDeltaCRLIndicatorExt(lastCompleteNumber)
if err != nil {
return nil, fmt.Errorf("could not create crl delta indicator extension: %v", err)
}
extensions = []pkix.Extension{ext}
}
revocationListTemplate := &x509.RevocationList{
@ -1280,7 +1284,7 @@ WRITE:
ThisUpdate: now,
NextUpdate: nextUpdate,
SignatureAlgorithm: signingBundle.RevocationSigAlg,
ExtraExtensions: []pkix.Extension{ext},
ExtraExtensions: extensions,
}
crlBytes, err := x509.CreateRevocationList(rand.Reader, revocationListTemplate, signingBundle.Certificate, signingBundle.PrivateKey)