Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cleanup changes around issuer revocation #16874

Merged
merged 5 commits into from
Aug 25, 2022
Merged

Cleanup changes around issuer revocation #16874

merged 5 commits into from
Aug 25, 2022

Conversation

cipherboy
Copy link
Contributor

This makes four incremental improvements to revocation (around issuers and otherwise):

  1. Fixes the nits from the earlier auto-merged PR (sorry @kitography!) and updates the tests according to @stevendpclark's internal suggestions.
  2. Now that Enable periodic, automatic rebuilding of CRLs #16762 is merged and Let PKI tidy associate revoked certs with their issuers #16871 is opened, makes CRL building skip the step of doing cert association. This means we can exit fast if CRL building is disabled altogether.
  3. Fix a bug identified during an internal demo call, wherein a root appeared on its own CRL, and intermediates appearing multiple times (oops). This is because of @kitography's last-minute-but-good suggestion of writing out a fat revInfo entry for serials we see in storage, and my forgetting to filter them out when building the CRL. D'oh.
  4. The most complex change: actually addressing stability of revInfo<->issuer association, via delaying the crlSigning usage check. This means any issuer in the representative set can safely be assigned and stability is ensured, and has a side effect noted that they no longer appear on the default issuer's CRL when all issuers lack crlSigning usage.

IMO, existing tests should cover most of this behavior, but let me know if you want me to add explicit tests for certain things.

I think only the latter deserves a changelog entry (given 2 can mostly be covered by the tidy update's changelog) but let me know.

@cipherboy cipherboy added bug Used to indicate a potential bug secret/pki labels Aug 24, 2022
@cipherboy cipherboy added this to the 1.12.0-rc1 milestone Aug 24, 2022
stevendpclark
stevendpclark approved these changes Aug 24, 2022
View reviewed changes
Copy link
Contributor

@stevendpclark stevendpclark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, one nit.

builtin/logical/pki/crl_util.go Outdated Show resolved Hide resolved
cipherboy
cipherboy commented Aug 25, 2022
View reviewed changes
builtin/logical/pki/crl_util.go
// set, if it is a member.
//
// If it is, we'll also pull in the unassigned certs to remain
// compatible with Vault's earlier, potentially questionable
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add this as a gating flag in CRL config?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a really good idea (though maybe not in scope of this PR)

@cipherboy cipherboy force-pushed the cipherboy-cleanup-issuer-revocation branch from 2f6ac55 to 941d5a8 Compare August 25, 2022 14:35
kitography
kitography approved these changes Aug 25, 2022
View reviewed changes
Copy link
Contributor

@kitography kitography left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thank you!

builtin/logical/pki/crl_util.go
// set, if it is a member.
//
// If it is, we'll also pull in the unassigned certs to remain
// compatible with Vault's earlier, potentially questionable
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a really good idea (though maybe not in scope of this PR)

@cipherboy cipherboy enabled auto-merge (squash) August 25, 2022 14:47
@cipherboy
Refactor CRL tests to use /sys/mounts
a1ac0e4 
Thanks Steve for the approach! This also address nits from Kit.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy
Skip CRL building steps when disabled
7b41944 
This skips a number of steps during CRL build when it is disabled (and
forceNew is not set). In particular, we avoid fetching issuers, we avoid
associating issuers with revocation entries (and building that in-memory
mapping), making CRL building more efficient.

This means that there'll again be very little overhead on clusters with
the CRL disabled.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy
Prevent revoking roots from appearing on own CRLs
809ae2d 
This change ensures that when marking a root as revoked, it no longer
appears on its own CRL. Very few clients support this event (as
generally only leaves/intermediates are checked for presence on a
parent's CRL) and it is technically undefined behavior (if the root is
revoked, its own CRL should be untrusted and thus including it on its
own CRL isn't a safe/correct distribution channel).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy
Ensure stability of revInfo issuer identification
752c47a 
As mentioned by Kit, iterating through each revInfoEntry and associating
the first issuer which matches it can cause churn when many (equivalent)
issuers are in the system and issuers come and go (via CRLSigning usage,
which has been modified in this release as well). Because we'd not
include issuers without CRLSigning usage, we'd cause our verification
helper, isRevInfoIssuerValid, to think the issuer ID is no longer value
(when instead, it just lacks crlSigning bits).

We address this by pulling in all issuers we know of for the
identification. This allows us to keep valid-but-not-for-signing
issuers, and use other representatives of their identity set for
signing/building the CRL (if they are enabled for such usage).

As a side effect, we now no longer place these entries on the default
CRL in the event all issuers in the CRL set are without the usage.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy
Add changelog entry
a54c086 
This is only for the last commit.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy cipherboy force-pushed the cipherboy-cleanup-issuer-revocation branch from 2aacf10 to a54c086 Compare August 25, 2022 15:21
@cipherboy cipherboy merged commit f06a6f7 into main Aug 25, 2022
@cipherboy cipherboy deleted the cipherboy-cleanup-issuer-revocation branch December 1, 2022 14:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevendpclark stevendpclark stevendpclark approved these changes

@kitography kitography kitography approved these changes

Assignees
No one assigned
Labels
bug Used to indicate a potential bug secret/pki
Projects
None yet
Milestone
1.12.0-rc1
Development

Successfully merging this pull request may close these issues.
3 participants
@cipherboy @kitography @stevendpclark