Skip to content

Commit

Permalink
Add warning on missing AIA info fields (#15509)
Browse files Browse the repository at this point in the history
* Add warning on missing AIA info fields

Signed-off-by: Alexander Scheel <[email protected]>

* Add changelog:

Signed-off-by: Alexander Scheel <[email protected]>
  • Loading branch information
cipherboy authored May 19, 2022
1 parent bc51921 commit 52770f0
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 0 deletions.
8 changes: 8 additions & 0 deletions builtin/logical/pki/path_intermediate.go
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,14 @@ func (b *backend) pathGenerateIntermediate(ctx context.Context, req *logical.Req
Data: map[string]interface{}{},
}

entries, err := getURLs(ctx, req)
if err == nil && len(entries.OCSPServers) == 0 && len(entries.IssuingCertificates) == 0 && len(entries.CRLDistributionPoints) == 0 {
// If the operator hasn't configured any of the URLs prior to
// generating this issuer, we should add a warning to the response,
// informing them they might want to do so and re-generate the issuer.
resp.AddWarning("This mount hasn't configured any authority access information fields; this may make it harder for systems to find missing certificates in the chain or to validate revocation status of certificates. Consider updating /config/urls with this information.")
}

switch format {
case "pem":
resp.Data["csr"] = csrb.CSR
Expand Down
14 changes: 14 additions & 0 deletions builtin/logical/pki/path_root.go
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,13 @@ func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request,
resp.AddWarning("This issuer certificate was generated without a Subject; this makes it likely that issuing leaf certs with this certificate will cause TLS validation libraries to reject this certificate.")
}

if len(parsedBundle.Certificate.OCSPServer) == 0 && len(parsedBundle.Certificate.IssuingCertificateURL) == 0 && len(parsedBundle.Certificate.CRLDistributionPoints) == 0 {
// If the operator hasn't configured any of the URLs prior to
// generating this issuer, we should add a warning to the response,
// informing them they might want to do so and re-generate the issuer.
resp.AddWarning("This mount hasn't configured any authority access information fields; this may make it harder for systems to find missing certificates in the chain or to validate revocation status of certificates. Consider updating /config/urls with this information.")
}

switch format {
case "pem":
resp.Data["certificate"] = cb.Certificate
Expand Down Expand Up @@ -368,6 +375,13 @@ func (b *backend) pathIssuerSignIntermediate(ctx context.Context, req *logical.R
resp.AddWarning("This issuer certificate was generated without a Subject; this makes it likely that issuing leaf certs with this certificate will cause TLS validation libraries to reject this certificate.")
}

if len(parsedBundle.Certificate.OCSPServer) == 0 && len(parsedBundle.Certificate.IssuingCertificateURL) == 0 && len(parsedBundle.Certificate.CRLDistributionPoints) == 0 {
// If the operator hasn't configured any of the URLs prior to
// generating this issuer, we should add a warning to the response,
// informing them they might want to do so and re-generate the issuer.
resp.AddWarning("This mount hasn't configured any authority access information fields; this may make it harder for systems to find missing certificates in the chain or to validate revocation status of certificates. Consider updating /config/urls with this information.")
}

switch format {
case "pem":
resp.Data["certificate"] = cb.Certificate
Expand Down
3 changes: 3 additions & 0 deletions changelog/15509.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
secrets/pki: Warn on missing AIA access information when generating issuers (config/urls).
```

0 comments on commit 52770f0

Please sign in to comment.