PR Feedback.

hashicorp · Aug 22, 2022 · 954cafd · 954cafd
1 parent b431863
commit 954cafd
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 6 deletions.
diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go
@@ -152,7 +152,7 @@ func (sc *storageContext) fetchCAInfoByIssuerId(issuerId issuerID, usage issuerU
 }
 
 func fetchCertBySerialBigInt(ctx context.Context, b *backend, req *logical.Request, prefix string, serial *big.Int) (*logical.StorageEntry, error) {
-	return fetchCertBySerial(ctx, b, req, prefix, certutil.GetHexFormatted(serial.Bytes(), ":"))
+	return fetchCertBySerial(ctx, b, req, prefix, serialFromBigInt(serial))
 }
 
 // Allows fetching certificates from the backend; it handles the slightly
@@ -920,9 +920,10 @@ func signCert(b *backend,
 
 // otherNameRaw describes a name related to a certificate which is not in one
 // of the standard name formats. RFC 5280, 4.2.1.6:
-// OtherName ::= SEQUENCE {
-//      type-id    OBJECT IDENTIFIER,
-//      value      [0] EXPLICIT ANY DEFINED BY type-id }
+//
+//	OtherName ::= SEQUENCE {
+//	     type-id    OBJECT IDENTIFIER,
+//	     value      [0] EXPLICIT ANY DEFINED BY type-id }
 type otherNameRaw struct {
 	TypeID asn1.ObjectIdentifier
 	Value  asn1.RawValue

diff --git a/builtin/logical/pki/ocsp_test.go b/builtin/logical/pki/ocsp_test.go
@@ -58,6 +58,7 @@ func TestOcsp_Disabled(t *testing.T) {
 
 // If we can't find the issuer within the request and have no default issuer to sign an Unknown response
 // with return an UnauthorizedErrorResponse/according to/the RFC, similar to if we are disabled (lack of authority)
+// This behavior differs from CRLs when an issuer is removed from a mount.
 func TestOcsp_UnknownIssuerWithNoDefault(t *testing.T) {
 	t.Parallel()
 

diff --git a/builtin/logical/pki/util.go b/builtin/logical/pki/util.go
@@ -4,6 +4,7 @@ import (
 	"crypto"
 	"crypto/x509"
 	"fmt"
+	"math/big"
 	"regexp"
 	"strings"
 
@@ -27,7 +28,11 @@ var (
 )
 
 func serialFromCert(cert *x509.Certificate) string {
-	return strings.TrimSpace(certutil.GetHexFormatted(cert.SerialNumber.Bytes(), ":"))
+	return serialFromBigInt(cert.SerialNumber)
+}
+
+func serialFromBigInt(serial *big.Int) string {
+	return strings.TrimSpace(certutil.GetHexFormatted(serial.Bytes(), ":"))
 }
 
 func normalizeSerial(serial string) string {

diff --git a/website/content/api-docs/secret/pki.mdx b/website/content/api-docs/secret/pki.mdx
@@ -1137,7 +1137,6 @@ $ curl \
 #### Sample Response
 
 ```json
-
 {
   "data": {
     "crl": "-----BEGIN X509 CRL-----\nMIIBizB1AgEBMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMTB3Jvb3QgeDEXDTIy\n..."