From 6ff4bccd51540e075e2e0eac9dae8451c4350c3c Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Thu, 19 May 2022 11:12:10 -0400 Subject: [PATCH] Add warning on missing AIA info fields (#15509) * Add warning on missing AIA info fields Signed-off-by: Alexander Scheel * Add changelog: Signed-off-by: Alexander Scheel --- builtin/logical/pki/path_intermediate.go | 8 ++++++++ builtin/logical/pki/path_root.go | 14 ++++++++++++++ changelog/15509.txt | 3 +++ 3 files changed, 25 insertions(+) create mode 100644 changelog/15509.txt diff --git a/builtin/logical/pki/path_intermediate.go b/builtin/logical/pki/path_intermediate.go index ce172c97ac09..bc388f400886 100644 --- a/builtin/logical/pki/path_intermediate.go +++ b/builtin/logical/pki/path_intermediate.go @@ -108,6 +108,14 @@ func (b *backend) pathGenerateIntermediate(ctx context.Context, req *logical.Req Data: map[string]interface{}{}, } + entries, err := getURLs(ctx, req) + if err == nil && len(entries.OCSPServers) == 0 && len(entries.IssuingCertificates) == 0 && len(entries.CRLDistributionPoints) == 0 { + // If the operator hasn't configured any of the URLs prior to + // generating this issuer, we should add a warning to the response, + // informing them they might want to do so and re-generate the issuer. + resp.AddWarning("This mount hasn't configured any authority access information fields; this may make it harder for systems to find missing certificates in the chain or to validate revocation status of certificates. Consider updating /config/urls with this information.") + } + switch format { case "pem": resp.Data["csr"] = csrb.CSR diff --git a/builtin/logical/pki/path_root.go b/builtin/logical/pki/path_root.go index 8caa4ddc6f33..97aa65800f57 100644 --- a/builtin/logical/pki/path_root.go +++ b/builtin/logical/pki/path_root.go @@ -178,6 +178,13 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request, resp.AddWarning("This issuer certificate was generated without a Subject; this makes it likely that issuing leaf certs with this certificate will cause TLS validation libraries to reject this certificate.") } + if len(parsedBundle.Certificate.OCSPServer) == 0 && len(parsedBundle.Certificate.IssuingCertificateURL) == 0 && len(parsedBundle.Certificate.CRLDistributionPoints) == 0 { + // If the operator hasn't configured any of the URLs prior to + // generating this issuer, we should add a warning to the response, + // informing them they might want to do so and re-generate the issuer. + resp.AddWarning("This mount hasn't configured any authority access information fields; this may make it harder for systems to find missing certificates in the chain or to validate revocation status of certificates. Consider updating /config/urls with this information.") + } + switch format { case "pem": resp.Data["certificate"] = cb.Certificate @@ -368,6 +375,13 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R resp.AddWarning("This issuer certificate was generated without a Subject; this makes it likely that issuing leaf certs with this certificate will cause TLS validation libraries to reject this certificate.") } + if len(parsedBundle.Certificate.OCSPServer) == 0 && len(parsedBundle.Certificate.IssuingCertificateURL) == 0 && len(parsedBundle.Certificate.CRLDistributionPoints) == 0 { + // If the operator hasn't configured any of the URLs prior to + // generating this issuer, we should add a warning to the response, + // informing them they might want to do so and re-generate the issuer. + resp.AddWarning("This mount hasn't configured any authority access information fields; this may make it harder for systems to find missing certificates in the chain or to validate revocation status of certificates. Consider updating /config/urls with this information.") + } + switch format { case "pem": resp.Data["certificate"] = cb.Certificate diff --git a/changelog/15509.txt b/changelog/15509.txt new file mode 100644 index 000000000000..88d4aa774b40 --- /dev/null +++ b/changelog/15509.txt @@ -0,0 +1,3 @@ +```release-note:improvement +secrets/pki: Warn on missing AIA access information when generating issuers (config/urls). +```