Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add warnings to crl rebuilds, allowing notifying operator of empty issuer equivalency sets #20253

Merged
merged 5 commits into from
Apr 19, 2023
Merged

Add warnings to crl rebuilds, allowing notifying operator of empty issuer equivalency sets #20253

merged 5 commits into from
Apr 19, 2023

Conversation

cipherboy
Copy link
Contributor

@cipherboy cipherboy commented Apr 19, 2023
edited
Loading

When a user generates an external CA without KeyUsage bits and imports it into Vault (as Vault does not allow setting KeyUsage on internally generated CAs), they can end up with issuer equivalency classes without a valid representative for generating the CRL. This is because Go fails on rebuilding CRLs for issuers lacking an asserted CRL Building KeyUsage.

Add warnings into the CRL rebuild infrastructure and allow certain actions to directly expose them to operators (import, manual rebuild, potentially revoke), whereas all other operations will result in these warnings being logged at a Warn level.

I'm not quite happy with this approach: over a cluster's lifetime, I'd imagine this could get somewhat verbose if the operator does not take steps to address it. However, it is also a somewhat rare problem to have (though, I have added one other warning when a legacy bundle is in use with delta CRLs), so I'm inclined to believe that while it is not perfect, it is perhaps good enough.

During import this looks like:

[cipherboy@xps15 vault]$ vault write pki/issuers/import/bundle pem_bundle=@/home/cipherboy/GitHub/cipherboy/testbed/chain-building/experiments/ca/root-old/certs/ca.pem
WARNING! The following warnings were returned from Vault:

  * Warning 1 during CRL rebuild: warning from local CRL rebuild:
  Issuer equivalency set with associated keys lacked an issuer with CRL
  Signing KeyUsage; refusing to rebuild CRL for this group of issuers:
  3794ea87-4275-5c89-aee8-a69737847362

  * This mount hasn't configured any authority information access (AIA)
  fields; this may make it harder for systems to find missing certificates
  in the chain or to validate revocation status of certificates. Consider
  updating /config/urls or the newly generated issuer with this information.

Key                 Value
---                 -----
imported_issuers    [3794ea87-4275-5c89-aee8-a69737847362]
imported_keys       <nil>
mapping             map[3794ea87-4275-5c89-aee8-a69737847362:b3cd91f3-e1f1-39a0-e297-504104bb9069]
[cipherboy@xps15 vault]$

This also appears on the CRL rebuild endpoint (/pki/crl/rotate).

Resolves: #20137

@cipherboy cipherboy added this to the 1.14 milestone Apr 19, 2023
@cipherboy cipherboy requested review from stevendpclark and a team April 19, 2023 13:47
stevendpclark
stevendpclark approved these changes Apr 19, 2023
View reviewed changes
builtin/logical/pki/crl_util.go Outdated Show resolved Hide resolved
@cipherboy
Add infrastructure for warnings on CRL rebuilds
c408af6 
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy
Add warning on issuer missing KU for CRL Signing
af7be52 
When an entire issuer equivalency class is missing CRL signing usage
(but otherwise has key material present), we should add a warning so
operators can either correct this issuer or create an equivalent version
with KU specified.

Resolves: #20137

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy
Add tests for issuer warnings
81f2513 
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy
Add changelog entry
ae8b8e6 
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy
Fix return order of CRL builders
5765aac 
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy cipherboy force-pushed the cipherboy-add-logging-crl-rebuilds branch from 75dceb5 to 5765aac Compare April 19, 2023 16:25
@cipherboy cipherboy enabled auto-merge (squash) April 19, 2023 16:28
@cipherboy cipherboy merged commit d3629a1 into main Apr 19, 2023
@cipherboy cipherboy deleted the cipherboy-add-logging-crl-rebuilds branch April 21, 2023 13:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevendpclark stevendpclark stevendpclark approved these changes

Assignees
No one assigned
Labels
enhancement secret/pki
Projects
None yet
Milestone
1.14
Development

Successfully merging this pull request may close these issues.

CRL returns empty for vault versions >= 1.11.0
2 participants
@cipherboy @stevendpclark