From 75632efdb9c761d828381b33e0166aec69a0bc4a Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Thu, 28 Apr 2022 13:01:57 -0400 Subject: [PATCH] Remove deleted issuers' CRL entries Since CRLs are no longer resolvable after deletion (due to missing issuer ID, which will cause resolution to fail regardless of if an ID or a name/default reference was used), we should delete these CRLs from storage to avoid leaking them. In the event that this issuer comes back (with key material), we can simply rebuild the CRL at that time (from the remaining revoked storage entries). Signed-off-by: Alexander Scheel --- builtin/logical/pki/crl_util.go | 34 +++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/builtin/logical/pki/crl_util.go b/builtin/logical/pki/crl_util.go index 28fb2f3d4f62..e043e605a96a 100644 --- a/builtin/logical/pki/crl_util.go +++ b/builtin/logical/pki/crl_util.go @@ -360,6 +360,40 @@ func buildCRLs(ctx context.Context, b *backend, req *logical.Request, forceNew b } } + // Before persisting our updated CRL config, check to see if we have + // any dangling references. If we have any issuers that don't exist, + // remove them, remembering their CRLs IDs. If we've completely removed + // all issuers pointing to that CRL number, we can remove it from the + // number map and from storage. + for mapIssuerId := range crlConfig.IssuerIDCRLMap { + stillHaveIssuer := false + for _, listedIssuerId := range issuers { + if mapIssuerId == listedIssuerId { + stillHaveIssuer = true + break + } + } + + if !stillHaveIssuer { + delete(crlConfig.IssuerIDCRLMap, mapIssuerId) + } + } + for crlId := range crlConfig.CRLNumberMap { + stillHaveIssuerForID := false + for _, remainingCRL := range crlConfig.IssuerIDCRLMap { + if remainingCRL == crlId { + stillHaveIssuerForID = true + break + } + } + + if !stillHaveIssuerForID { + if err := req.Storage.Delete(ctx, "crls/"+crlId.String()); err != nil { + return fmt.Errorf("error building CRLs: unable to clean up deleted issuers' CRL: %v", err) + } + } + } + // Finally, persist our potentially updated local CRL config if err := setLocalCRLConfig(ctx, req.Storage, crlConfig); err != nil { return fmt.Errorf("error building CRLs: unable to persist updated cluster-local CRL config: %v", err)