From c2d427e7d224527df9aedbbbe04a462470cd604f Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alex.scheel@hashicorp.com>
Date: Tue, 27 Sep 2022 17:44:38 -0400
Subject: [PATCH] Remove delta indicator on main CRL (#17334)

When adding delta CRL support, we unconditionally added the delta
indicator extension to the main CRL. We shouldn't have done this, and
instead only added it conditionally when we were building delta CRLs.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---
 builtin/logical/pki/crl_test.go |  8 ++++++++
 builtin/logical/pki/crl_util.go | 12 ++++++++----
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/builtin/logical/pki/crl_test.go b/builtin/logical/pki/crl_test.go
index 962cd650f9..cb3e83db62 100644
--- a/builtin/logical/pki/crl_test.go
+++ b/builtin/logical/pki/crl_test.go
@@ -294,6 +294,10 @@ func crlEnableDisableTestForBackend(t *testing.T, b *backend, s logical.Storage,
 			requireSerialNumberInCRL(t, certList, serialNum)
 		}
 
+		if len(certList.Extensions) > 2 {
+			t.Fatalf("expected up to 2 extensions on main CRL but got %v", len(certList.Extensions))
+		}
+
 		// Since this test assumes a complete CRL was rebuilt, we can grab
 		// the delta CRL and ensure it is empty.
 		deltaList := getParsedCrlFromBackend(t, b, s, "crl/delta").TBSCertList
@@ -301,6 +305,10 @@ func crlEnableDisableTestForBackend(t *testing.T, b *backend, s logical.Storage,
 		if lenDeltaList != 0 {
 			t.Fatalf("expected zero revoked certificates on the delta CRL due to complete CRL rebuild, found %d", lenDeltaList)
 		}
+
+		if len(deltaList.Extensions) != len(certList.Extensions)+1 {
+			t.Fatalf("expected one more extensions on delta CRL than main but got %v on main vs %v on delta", len(certList.Extensions), len(deltaList.Extensions))
+		}
 	}
 
 	revoke := func(serialIndex int) {
diff --git a/builtin/logical/pki/crl_util.go b/builtin/logical/pki/crl_util.go
index 8dda13495f..0744690a8b 100644
--- a/builtin/logical/pki/crl_util.go
+++ b/builtin/logical/pki/crl_util.go
@@ -1269,9 +1269,13 @@ WRITE:
 	now := time.Now()
 	nextUpdate := now.Add(crlLifetime)
 
-	ext, err := certutil.CreateDeltaCRLIndicatorExt(lastCompleteNumber)
-	if err != nil {
-		return nil, fmt.Errorf("could not create crl delta indicator extension: %v", err)
+	var extensions []pkix.Extension
+	if isDelta {
+		ext, err := certutil.CreateDeltaCRLIndicatorExt(lastCompleteNumber)
+		if err != nil {
+			return nil, fmt.Errorf("could not create crl delta indicator extension: %v", err)
+		}
+		extensions = []pkix.Extension{ext}
 	}
 
 	revocationListTemplate := &x509.RevocationList{
@@ -1280,7 +1284,7 @@ WRITE:
 		ThisUpdate:          now,
 		NextUpdate:          nextUpdate,
 		SignatureAlgorithm:  signingBundle.RevocationSigAlg,
-		ExtraExtensions:     []pkix.Extension{ext},
+		ExtraExtensions:     extensions,
 	}
 
 	crlBytes, err := x509.CreateRevocationList(rand.Reader, revocationListTemplate, signingBundle.Certificate, signingBundle.PrivateKey)