Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix deletion of issuers, CRLs #15254

Closed
wants to merge 3 commits into from
Closed

Fix deletion of issuers, CRLs #15254

wants to merge 3 commits into from

Commits on May 2, 2022

  1. Correctly handle rebuilding remaining chains 

    When deleting a specific issuer, we might impact the chains. From a
consistency perspective, we need to ensure the remaining chains are
correct and don't refer to the since-deleted issuer, so trigger a full
rebuild here.

We don't need to call this in the delete-the-world (DELETE /root) code
path, as there shouldn't be any remaining issuers or chains to build.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
    @cipherboy
    cipherboy committed May 2, 2022
    Configuration menu
    Copy the full SHA
    25eb418 View commit details
    Browse the repository at this point in the history

  2. Remove legacy CRL bundle on world deletion 

    When calling DELETE /root, we should remove the legacy CRL bundle, since
we're deleting the legacy CA issuer bundle as well.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
    @cipherboy
    cipherboy committed May 2, 2022
    Configuration menu
    Copy the full SHA
    f1eaf4b View commit details
    Browse the repository at this point in the history

  3. Remove deleted issuers' CRL entries 

    Since CRLs are no longer resolvable after deletion (due to missing
issuer ID, which will cause resolution to fail regardless of if an ID or
a name/default reference was used), we should delete these CRLs from
storage to avoid leaking them.

In the event that this issuer comes back (with key material), we can
simply rebuild the CRL at that time (from the remaining revoked storage
entries).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
    @cipherboy
    cipherboy committed May 2, 2022
    Configuration menu
    Copy the full SHA
    75632ef View commit details
    Browse the repository at this point in the history