From 747b395da5d27a97c63582106f6ea09f67a521b6 Mon Sep 17 00:00:00 2001 From: Scott Miller Date: Tue, 27 Aug 2024 16:35:11 -0500 Subject: [PATCH] Revocation RevokerFactory interface, CE changes (#28203) --- builtin/logical/pki/backend.go | 28 ++++++++++++++++++++++++ builtin/logical/pki/revocation/revoke.go | 12 ++++++++++ builtin/logical/pkiext/nginx_test.go | 2 +- 3 files changed, 41 insertions(+), 1 deletion(-) diff --git a/builtin/logical/pki/backend.go b/builtin/logical/pki/backend.go index f753563236..37dd1a369b 100644 --- a/builtin/logical/pki/backend.go +++ b/builtin/logical/pki/backend.go @@ -5,6 +5,7 @@ package pki import ( "context" + "crypto/x509" "fmt" "strings" "sync" @@ -342,6 +343,8 @@ type BackendOps interface { pki_backend.SystemViewGetter pki_backend.MountInfo pki_backend.Logger + revocation.RevokerFactory + UseLegacyBundleCaStorage() bool CrlBuilder() *CrlBuilder GetRevokeStorageLock() *sync.RWMutex @@ -805,3 +808,28 @@ func (b *backend) initializeStoredCertificateCounts(ctx context.Context) error { certCounter.InitializeCountsFromStorage(entries, revokedEntries) return nil } + +var _ revocation.Revoker = &revoker{} + +type revoker struct { + backend *backend + storageContext *storageContext + crlConfig *pki_backend.CrlConfig +} + +func (r *revoker) RevokeCert(cert *x509.Certificate) (*logical.Response, error) { + return revokeCert(r.storageContext, r.crlConfig, cert) +} + +func (r *revoker) RevokeCertBySerial(serial string) (*logical.Response, error) { + return tryRevokeCertBySerial(r.storageContext, r.crlConfig, serial) +} + +func (b *backend) GetRevoker(ctx context.Context, s logical.Storage) revocation.Revoker { + sc := b.makeStorageContext(ctx, s) + return &revoker{ + backend: b, + crlConfig: &b.CrlBuilder().config, + storageContext: sc, + } +} diff --git a/builtin/logical/pki/revocation/revoke.go b/builtin/logical/pki/revocation/revoke.go index 67272786e8..2618d700c7 100644 --- a/builtin/logical/pki/revocation/revoke.go +++ b/builtin/logical/pki/revocation/revoke.go @@ -5,10 +5,13 @@ package revocation import ( "bytes" + "context" "crypto/x509" "fmt" "time" + "github.com/hashicorp/vault/sdk/logical" + "github.com/hashicorp/vault/builtin/logical/pki/issuing" "github.com/hashicorp/vault/builtin/logical/pki/pki_backend" "github.com/hashicorp/vault/sdk/helper/errutil" @@ -18,6 +21,15 @@ const ( RevokedPath = "revoked/" ) +type RevokerFactory interface { + GetRevoker(context.Context, logical.Storage) Revoker +} + +type Revoker interface { + RevokeCert(cert *x509.Certificate) (*logical.Response, error) + RevokeCertBySerial(serial string) (*logical.Response, error) +} + type RevocationInfo struct { CertificateBytes []byte `json:"certificate_bytes"` RevocationTime int64 `json:"revocation_time"` diff --git a/builtin/logical/pkiext/nginx_test.go b/builtin/logical/pkiext/nginx_test.go index e7d3ab42ed..70defe42e8 100644 --- a/builtin/logical/pkiext/nginx_test.go +++ b/builtin/logical/pkiext/nginx_test.go @@ -39,7 +39,7 @@ const ( func buildNginxContainer(t *testing.T, root string, crl string, chain string, private string) (func(), string, int, string, string, int) { containerfile := ` -FROM nginx:latest +FROM nginx:1.27.1 RUN mkdir /www /etc/nginx/ssl && rm /etc/nginx/conf.d/*.conf