scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 18:17:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

PKI: Do not load revoked certificates if CRL has been disabled (#17385)

Browse Source 
* PKI: Do not load revoked certificates if CRL has been disabled

 - Restore the prior behavior of not reading in all revoked certificates
   if the CRL has been disabled as there might be performance issues
   if a customer had or is still revoking a lot of certificates.

* Add cl
This commit is contained in:
Steven Clark
2022-10-03 10:04:32 -04:00
committed by GitHub
parent bcc79b7f5b
commit aea2844c5f
2 changed files with 16 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
builtin/logical/pki/crl_util.go
View File

@@ -828,14 +828,20 @@ func buildAnyCRLs(sc *storageContext, forceNew bool, isDelta bool) error {
} }
} }
var unassignedCerts []pkix.RevokedCertificate
var revokedCertsMap map[issuerID][]pkix.RevokedCertificate
// If the CRL is disabled do not bother reading in all the revoked certificates.
if !globalCRLConfig.Disable {
// Next, we load and parse all revoked certificates. We need to assign // Next, we load and parse all revoked certificates. We need to assign
// these certificates to an issuer. Some certificates will not be // these certificates to an issuer. Some certificates will not be
// assignable (if they were issued by a since-deleted issuer), so we need // assignable (if they were issued by a since-deleted issuer), so we need
// a separate pool for those. // a separate pool for those.
unassignedCerts, revokedCertsMap, err := getRevokedCertEntries(sc, issuerIDCertMap, isDelta) unassignedCerts, revokedCertsMap, err = getRevokedCertEntries(sc, issuerIDCertMap, isDelta)
if err != nil { if err != nil {
return fmt.Errorf("error building CRLs: unable to get revoked certificate entries: %v", err) return fmt.Errorf("error building CRLs: unable to get revoked certificate entries: %v", err)
} }
}
if err := augmentWithRevokedIssuers(issuerIDEntryMap, issuerIDCertMap, revokedCertsMap); err != nil { if err := augmentWithRevokedIssuers(issuerIDEntryMap, issuerIDCertMap, revokedCertsMap); err != nil {
return fmt.Errorf("error building CRLs: unable to parse revoked issuers: %v", err) return fmt.Errorf("error building CRLs: unable to parse revoked issuers: %v", err)

3
changelog/17385.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:bug
secrets/pki: Do not read revoked certificates from backend when CRL is disabled
```