Add warning on keyless default issuer (#15178)

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
hashicorp · May 2, 2022 · 35a8716 · 35a8716
1 parent 8aa7caa
commit 35a8716
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 12 deletions.
diff --git a/builtin/logical/pki/path_config_ca.go b/builtin/logical/pki/path_config_ca.go
@@ -83,16 +83,29 @@ func (b *backend) pathCAIssuersWrite(ctx context.Context, req *logical.Request,
 		return logical.ErrorResponse("Error resolving issuer reference: " + err.Error()), nil
 	}
 
+	response := &logical.Response{
+		Data: map[string]interface{}{
+			"default": parsedIssuer,
+		},
+	}
+
+	entry, err := fetchIssuerById(ctx, req.Storage, parsedIssuer)
+	if err != nil {
+		return logical.ErrorResponse("Unable to fetch issuer: " + err.Error()), nil
+	}
+
+	if len(entry.KeyID) == 0 {
+		msg := "This selected default issuer has no key associated with it. Some operations like issuing certificates and signing CRLs will be unavailable with the requested default issuer until a key is imported or the default issuer is changed."
+		response.AddWarning(msg)
+		b.Logger().Error(msg)
+	}
+
 	err = updateDefaultIssuerId(ctx, req.Storage, parsedIssuer)
 	if err != nil {
 		return logical.ErrorResponse("Error updating issuer configuration: " + err.Error()), nil
 	}
 
-	return &logical.Response{
-		Data: map[string]interface{}{
-			"default": parsedIssuer,
-		},
-	}, nil
+	return response, nil
 }
 
 const pathConfigIssuersHelpSyn = `Read and set the default issuer certificate for signing.`

diff --git a/builtin/logical/pki/path_manage_issuers.go b/builtin/logical/pki/path_manage_issuers.go
@@ -187,20 +187,36 @@ func (b *backend) pathImportIssuers(ctx context.Context, req *logical.Request, d
 		}
 	}
 
+	response := &logical.Response{
+		Data: map[string]interface{}{
+			"mapping":          issuerKeyMap,
+			"imported_keys":    createdKeys,
+			"imported_issuers": createdIssuers,
+		},
+	}
+
 	if len(createdIssuers) > 0 {
 		err := buildCRLs(ctx, b, req, true)
 		if err != nil {
 			return nil, err
 		}
 	}
 
-	return &logical.Response{
-		Data: map[string]interface{}{
-			"mapping":          issuerKeyMap,
-			"imported_keys":    createdKeys,
-			"imported_issuers": createdIssuers,
-		},
-	}, nil
+	// While we're here, check if we should warn about a bad default key. We
+	// do this unconditionally if the issuer or key was modified, so the admin
+	// is always warned. But if unrelated key material was imported, we do
+	// not warn.
+	config, err := getIssuersConfig(ctx, req.Storage)
+	if err == nil && len(config.DefaultIssuerId) > 0 {
+		// We can use the mapping above to check the issuer mapping.
+		if keyId, ok := issuerKeyMap[string(config.DefaultIssuerId)]; !ok || len(keyId) == 0 {
+			msg := "The default issuer has no key associated with it. Some operations like issuing certificates and signing CRLs will be unavailable with the requested default issuer until a key is imported or the default issuer is changed."
+			response.AddWarning(msg)
+			b.Logger().Error(msg)
+		}
+	}
+
+	return response, nil
 }
 
 const (