Skip to content

Commit

Permalink
Remove legacy CRL bundle on world deletion
Browse files Browse the repository at this point in the history
When calling DELETE /root, we should remove the legacy CRL bundle, since
we're deleting the legacy CA issuer bundle as well.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
  • Loading branch information
cipherboy committed May 2, 2022
1 parent 25eb418 commit f1eaf4b
Show file tree
Hide file tree
Showing 5 changed files with 14 additions and 8 deletions.
2 changes: 1 addition & 1 deletion builtin/logical/pki/backend.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ func Backend(conf *logical.BackendConfig) *backend {

LocalStorage: []string{
"revoked/",
"crl",
legacyCRLPath,
"crls/",
"certs/",
},
Expand Down
2 changes: 1 addition & 1 deletion builtin/logical/pki/cert_util.go
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,7 @@ func fetchCertBySerial(ctx context.Context, b *backend, req *logical.Request, pr
case strings.HasPrefix(prefix, "revoked/"):
legacyPath = "revoked/" + colonSerial
path = "revoked/" + hyphenSerial
case serial == "crl":
case serial == legacyCRLPath:
if err = b.crlBuilder.rebuildIfForced(ctx, b, req); err != nil {
return nil, err
}
Expand Down
4 changes: 2 additions & 2 deletions builtin/logical/pki/path_fetch.go
Original file line number Diff line number Diff line change
Expand Up @@ -179,14 +179,14 @@ func (b *backend) pathFetchRead(ctx context.Context, req *logical.Request, data
contentType = "application/pkix-cert"
}
case req.Path == "crl" || req.Path == "crl/pem":
serial = "crl"
serial = legacyCRLPath
contentType = "application/pkix-crl"
if req.Path == "crl/pem" {
pemType = "X509 CRL"
contentType = "application/x-pem-file"
}
case req.Path == "cert/crl":
serial = "crl"
serial = legacyCRLPath
pemType = "X509 CRL"
case strings.HasSuffix(req.Path, "/pem") || strings.HasSuffix(req.Path, "/raw"):
serial = data.Get("serial").(string)
Expand Down
7 changes: 6 additions & 1 deletion builtin/logical/pki/path_root.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,11 +79,16 @@ func (b *backend) pathCADeleteRoot(ctx context.Context, req *logical.Request, _
}
}

// Delete legacy CA bundle; but don't error if it doesn't exist.
// Delete legacy CA bundle.
if err := req.Storage.Delete(ctx, legacyCertBundlePath); err != nil {
return nil, err
}

// Delete legacy CRL bundle.
if err := req.Storage.Delete(ctx, legacyCRLPath); err != nil {
return nil, err
}

// Return a warning about preferring to delete issuers and keys
// explicitly versus deleting everything.
resp := &logical.Response{}
Expand Down
7 changes: 4 additions & 3 deletions builtin/logical/pki/storage.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ const (

legacyMigrationBundleLogKey = "config/legacyMigrationBundleLog"
legacyCertBundlePath = "config/ca_bundle"
legacyCRLPath = "crl"
)

type keyID string
Expand Down Expand Up @@ -650,19 +651,19 @@ func resolveIssuerCRLPath(ctx context.Context, b *backend, s logical.Storage, re

issuer, err := resolveIssuerReference(ctx, s, reference)
if err != nil {
return "crl", err
return legacyCRLPath, err
}

crlConfig, err := getLocalCRLConfig(ctx, s)
if err != nil {
return "crl", err
return legacyCRLPath, err
}

if crlId, ok := crlConfig.IssuerIDCRLMap[issuer]; ok && len(crlId) > 0 {
return fmt.Sprintf("crls/%v", crlId), nil
}

return "crl", fmt.Errorf("unable to find CRL for issuer: id:%v/ref:%v", issuer, reference)
return legacyCRLPath, fmt.Errorf("unable to find CRL for issuer: id:%v/ref:%v", issuer, reference)
}

// Builds a certutil.CertBundle from the specified issuer identifier,
Expand Down

0 comments on commit f1eaf4b

Please sign in to comment.