New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Identify issuer on revocation #16763
Conversation
2d2d398
to
e7fe9ea
Compare
59dadd6
to
c99f0c2
Compare
When we attempt to revoke a leaf certificate, we already parse all of the issuers within the mount (to x509.Certificate) to ensure we don't accidentally revoke an issuer via the leaf revocation endpoint. We can reuse this information to associate the issuer (via issuer/subject comparison and signature checking) to the revoked cert in its revocation info. This will help OCSP, avoiding the case where the OCSP handler needs to associate a certificate to its issuer. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
c99f0c2
to
93da855
Compare
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks awesome... and I have nits.
if bytes.Equal(revokedCert.RawIssuer, issuerCert.RawSubject) { | ||
if err := revokedCert.CheckSignatureFrom(issuerCert); err == nil { | ||
// Valid mapping. Add it to the specified entry. | ||
revInfo.CertificateIssuer = issuerId |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Would be great to add a comment here that this isn't stable - that if multiple issuers could have possibly issued this certificate, it's picking the first one in the map.
When we attempt to revoke a leaf certificate, we already parse all of
the issuers within the mount (to x509.Certificate) to ensure we don't
accidentally revoke an issuer via the leaf revocation endpoint. We can
reuse this information to associate the issuer (via issuer/subject
comparison and signature checking) to the revoked cert in its revocation
info. This will help OCSP, avoiding the case where the OCSP handler
needs to associate a certificate to its issuer.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>