Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cleanup changes around issuer revocation #16874

Merged
merged 5 commits into from
Aug 25, 2022
Merged

Cleanup changes around issuer revocation #16874

merged 5 commits into from
Aug 25, 2022

Commits on Aug 25, 2022

  1. Refactor CRL tests to use /sys/mounts 

    Thanks Steve for the approach! This also address nits from Kit.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
    @cipherboy
    cipherboy committed Aug 25, 2022
    Configuration menu
    Copy the full SHA
    a1ac0e4 View commit details
    Browse the repository at this point in the history

  2. Skip CRL building steps when disabled 

    This skips a number of steps during CRL build when it is disabled (and
forceNew is not set). In particular, we avoid fetching issuers, we avoid
associating issuers with revocation entries (and building that in-memory
mapping), making CRL building more efficient.

This means that there'll again be very little overhead on clusters with
the CRL disabled.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
    @cipherboy
    cipherboy committed Aug 25, 2022
    Configuration menu
    Copy the full SHA
    7b41944 View commit details
    Browse the repository at this point in the history

  3. Prevent revoking roots from appearing on own CRLs 

    This change ensures that when marking a root as revoked, it no longer
appears on its own CRL. Very few clients support this event (as
generally only leaves/intermediates are checked for presence on a
parent's CRL) and it is technically undefined behavior (if the root is
revoked, its own CRL should be untrusted and thus including it on its
own CRL isn't a safe/correct distribution channel).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
    @cipherboy
    cipherboy committed Aug 25, 2022
    Configuration menu
    Copy the full SHA
    809ae2d View commit details
    Browse the repository at this point in the history

  4. Ensure stability of revInfo issuer identification 

    As mentioned by Kit, iterating through each revInfoEntry and associating
the first issuer which matches it can cause churn when many (equivalent)
issuers are in the system and issuers come and go (via CRLSigning usage,
which has been modified in this release as well). Because we'd not
include issuers without CRLSigning usage, we'd cause our verification
helper, isRevInfoIssuerValid, to think the issuer ID is no longer value
(when instead, it just lacks crlSigning bits).

We address this by pulling in all issuers we know of for the
identification. This allows us to keep valid-but-not-for-signing
issuers, and use other representatives of their identity set for
signing/building the CRL (if they are enabled for such usage).

As a side effect, we now no longer place these entries on the default
CRL in the event all issuers in the CRL set are without the usage.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
    @cipherboy
    cipherboy committed Aug 25, 2022
    Configuration menu
    Copy the full SHA
    752c47a View commit details
    Browse the repository at this point in the history

  5. Add changelog entry 

    This is only for the last commit.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
    @cipherboy
    cipherboy committed Aug 25, 2022
    Configuration menu
    Copy the full SHA
    a54c086 View commit details
    Browse the repository at this point in the history