Revocation RevokerFactory interface, CE changes (#28203)

2025-10-30 02:02:43 +00:00 · 2024-08-27 16:35:11 -05:00
parent ba3d9c9aa0
commit 747b395da5
3 changed files with 41 additions and 1 deletions
--- a/builtin/logical/pki/backend.go
+++ b/builtin/logical/pki/backend.go
@@ -5,6 +5,7 @@ package pki

 import (
 	"context"
+	"crypto/x509"
 	"fmt"
 	"strings"
 	"sync"
@@ -342,6 +343,8 @@ type BackendOps interface {
 	pki_backend.SystemViewGetter
 	pki_backend.MountInfo
 	pki_backend.Logger
+	revocation.RevokerFactory
+
 	UseLegacyBundleCaStorage() bool
 	CrlBuilder() *CrlBuilder
 	GetRevokeStorageLock() *sync.RWMutex
@@ -805,3 +808,28 @@ func (b *backend) initializeStoredCertificateCounts(ctx context.Context) error {
 	certCounter.InitializeCountsFromStorage(entries, revokedEntries)
 	return nil
 }
+
+var _ revocation.Revoker = &revoker{}
+
+type revoker struct {
+	backend        *backend
+	storageContext *storageContext
+	crlConfig      *pki_backend.CrlConfig
+}
+
+func (r *revoker) RevokeCert(cert *x509.Certificate) (*logical.Response, error) {
+	return revokeCert(r.storageContext, r.crlConfig, cert)
+}
+
+func (r *revoker) RevokeCertBySerial(serial string) (*logical.Response, error) {
+	return tryRevokeCertBySerial(r.storageContext, r.crlConfig, serial)
+}
+
+func (b *backend) GetRevoker(ctx context.Context, s logical.Storage) revocation.Revoker {
+	sc := b.makeStorageContext(ctx, s)
+	return &revoker{
+		backend:        b,
+		crlConfig:      &b.CrlBuilder().config,
+		storageContext: sc,
+	}
+}
--- a/builtin/logical/pki/revocation/revoke.go
+++ b/builtin/logical/pki/revocation/revoke.go
@@ -5,10 +5,13 @@ package revocation

 import (
 	"bytes"
+	"context"
 	"crypto/x509"
 	"fmt"
 	"time"

+	"github.com/hashicorp/vault/sdk/logical"
+
 	"github.com/hashicorp/vault/builtin/logical/pki/issuing"
 	"github.com/hashicorp/vault/builtin/logical/pki/pki_backend"
 	"github.com/hashicorp/vault/sdk/helper/errutil"
@@ -18,6 +21,15 @@ const (
 	RevokedPath = "revoked/"
 )

+type RevokerFactory interface {
+	GetRevoker(context.Context, logical.Storage) Revoker
+}
+
+type Revoker interface {
+	RevokeCert(cert *x509.Certificate) (*logical.Response, error)
+	RevokeCertBySerial(serial string) (*logical.Response, error)
+}
+
 type RevocationInfo struct {
 	CertificateBytes  []byte           `json:"certificate_bytes"`
 	RevocationTime    int64            `json:"revocation_time"`
--- a/builtin/logical/pkiext/nginx_test.go
+++ b/builtin/logical/pkiext/nginx_test.go
@@ -39,7 +39,7 @@ const (

 func buildNginxContainer(t *testing.T, root string, crl string, chain string, private string) (func(), string, int, string, string, int) {
 	containerfile := `
-FROM nginx:latest
+FROM nginx:1.27.1

 RUN mkdir /www /etc/nginx/ssl && rm /etc/nginx/conf.d/*.conf