diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go index efd030acc1a2..8fadc312aef9 100644 --- a/builtin/logical/pki/cert_util.go +++ b/builtin/logical/pki/cert_util.go @@ -143,13 +143,6 @@ func fetchCAInfoByIssuerId(ctx context.Context, b *backend, req *logical.Request if err != nil { return nil, errutil.InternalError{Err: fmt.Sprintf("unable to fetch URL information: %v", err)} } - if entries == nil { - entries = &certutil.URLEntries{ - IssuingCertificates: []string{}, - CRLDistributionPoints: []string{}, - OCSPServers: []string{}, - } - } caInfo.URLs = entries return caInfo, nil @@ -633,13 +626,6 @@ func generateCert(ctx context.Context, if err != nil { return nil, errutil.InternalError{Err: fmt.Sprintf("unable to fetch URL information: %v", err)} } - if entries == nil { - entries = &certutil.URLEntries{ - IssuingCertificates: []string{}, - CRLDistributionPoints: []string{}, - OCSPServers: []string{}, - } - } data.Params.URLs = entries if input.role.MaxPathLength == nil { diff --git a/builtin/logical/pki/crl_util.go b/builtin/logical/pki/crl_util.go index c910fdc3a9d0..c9509125e259 100644 --- a/builtin/logical/pki/crl_util.go +++ b/builtin/logical/pki/crl_util.go @@ -569,28 +569,26 @@ func buildCRL(ctx context.Context, b *backend, req *logical.Request, forceNew bo crlLifetime := b.crlLifetime var revokedCerts []pkix.RevokedCertificate - if crlInfo != nil { - if crlInfo.Expiry != "" { - crlDur, err := time.ParseDuration(crlInfo.Expiry) - if err != nil { - return errutil.InternalError{Err: fmt.Sprintf("error parsing CRL duration of %s", crlInfo.Expiry)} - } - crlLifetime = crlDur + if crlInfo.Expiry != "" { + crlDur, err := time.ParseDuration(crlInfo.Expiry) + if err != nil { + return errutil.InternalError{Err: fmt.Sprintf("error parsing CRL duration of %s", crlInfo.Expiry)} } + crlLifetime = crlDur + } - if crlInfo.Disable { - if !forceNew { - return nil - } - - // NOTE: in this case, the passed argument (revoked) is not added - // to the revokedCerts list. This is because we want to sign an - // **empty** CRL (as the CRL was disabled but we've specified the - // forceNew option). In previous versions of Vault (1.10 series and - // earlier), we'd have queried the certs below, whereas we now have - // an assignment from a pre-queried list. - goto WRITE + if crlInfo.Disable { + if !forceNew { + return nil } + + // NOTE: in this case, the passed argument (revoked) is not added + // to the revokedCerts list. This is because we want to sign an + // **empty** CRL (as the CRL was disabled but we've specified the + // forceNew option). In previous versions of Vault (1.10 series and + // earlier), we'd have queried the certs below, whereas we now have + // an assignment from a pre-queried list. + goto WRITE } revokedCerts = revoked diff --git a/builtin/logical/pki/path_config_crl.go b/builtin/logical/pki/path_config_crl.go index 7555fc6833eb..5692e4eb5bbc 100644 --- a/builtin/logical/pki/path_config_crl.go +++ b/builtin/logical/pki/path_config_crl.go @@ -54,11 +54,15 @@ func (b *backend) CRL(ctx context.Context, s logical.Storage) (*crlConfig, error if err != nil { return nil, err } + + var result crlConfig + result.Expiry = b.crlLifetime.String() + result.Disable = false + if entry == nil { - return nil, nil + return &result, nil } - var result crlConfig if err := entry.DecodeJSON(&result); err != nil { return nil, err } @@ -71,9 +75,6 @@ func (b *backend) pathCRLRead(ctx context.Context, req *logical.Request, _ *fram if err != nil { return nil, err } - if config == nil { - return nil, nil - } return &logical.Response{ Data: map[string]interface{}{ @@ -88,9 +89,6 @@ func (b *backend) pathCRLWrite(ctx context.Context, req *logical.Request, d *fra if err != nil { return nil, err } - if config == nil { - config = &crlConfig{} - } if expiryRaw, ok := d.GetOk("expiry"); ok { expiry := expiryRaw.(string) diff --git a/builtin/logical/pki/path_config_urls.go b/builtin/logical/pki/path_config_urls.go index 2d1840997109..f27d541d6770 100644 --- a/builtin/logical/pki/path_config_urls.go +++ b/builtin/logical/pki/path_config_urls.go @@ -63,16 +63,22 @@ func getURLs(ctx context.Context, req *logical.Request) (*certutil.URLEntries, e if err != nil { return nil, err } + + entries := &certutil.URLEntries{ + IssuingCertificates: []string{}, + CRLDistributionPoints: []string{}, + OCSPServers: []string{}, + } + if entry == nil { - return nil, nil + return entries, nil } - var entries certutil.URLEntries - if err := entry.DecodeJSON(&entries); err != nil { + if err := entry.DecodeJSON(entries); err != nil { return nil, err } - return &entries, nil + return entries, nil } func writeURLs(ctx context.Context, req *logical.Request, entries *certutil.URLEntries) error { @@ -97,9 +103,6 @@ func (b *backend) pathReadURL(ctx context.Context, req *logical.Request, _ *fram if err != nil { return nil, err } - if entries == nil { - return nil, nil - } resp := &logical.Response{ Data: structs.New(entries).Map(), @@ -113,13 +116,6 @@ func (b *backend) pathWriteURL(ctx context.Context, req *logical.Request, data * if err != nil { return nil, err } - if entries == nil { - entries = &certutil.URLEntries{ - IssuingCertificates: []string{}, - CRLDistributionPoints: []string{}, - OCSPServers: []string{}, - } - } if urlsInt, ok := data.GetOk("issuing_certificates"); ok { entries.IssuingCertificates = urlsInt.([]string) diff --git a/changelog/15470.txt b/changelog/15470.txt new file mode 100644 index 000000000000..2fbaede96bb5 --- /dev/null +++ b/changelog/15470.txt @@ -0,0 +1,3 @@ +```release-note:improvement +secrets/pki: Always return CRLs, URLs configurations, even if using the default value. +```