Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Let PKI tidy associate revoked certs with their issuers #16871

Merged
merged 8 commits into from
Aug 26, 2022

Conversation

cipherboy
Copy link
Contributor

@cipherboy cipherboy commented Aug 24, 2022

This updates PKI's tidy operation to optionally associate certificates with their issuers.

As noted in a previous PR about OCSP, this allows OCSP to behave faster on existing revocation entries (without this mapping) if CRL building is disabled.


  • Tests
  • Docs
  • Changelog entry

@cipherboy cipherboy added this to the 1.12.0-rc1 milestone Aug 24, 2022
@cipherboy cipherboy requested review from kitography, stevendpclark and a team August 24, 2022 16:45
@cipherboy cipherboy marked this pull request as ready for review August 25, 2022 17:03
@cipherboy cipherboy force-pushed the cipherboy-tidy-associate-revoked-certs branch from 678cabe to 4460d34 Compare August 25, 2022 17:03
@cipherboy cipherboy requested a review from taoism4504 as a code owner August 25, 2022 17:03
@cipherboy cipherboy force-pushed the cipherboy-tidy-associate-revoked-certs branch from 4460d34 to ff73fa1 Compare August 25, 2022 17:06
@cipherboy cipherboy changed the title Let tidy associate revoked certs Let PKI tidy associate revoked certs with their issuers Aug 26, 2022
Copy link
Contributor

@stevendpclark stevendpclark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, one comment about a test that seems a little off to me.

builtin/logical/pki/crl_test.go Outdated Show resolved Hide resolved
This refactors the tidy go routine into two separate helpers, making it
clear where the boundaries of each are: variables are passed into these
method and concerns are separated. As more operations are rolled into
tidy, we can continue adding more helpers as appropriate. Additionally,
as we move to make auto-tidy occur, we can use these as points to hook
into periodic tidying.

Signed-off-by: Alexander Scheel <[email protected]>
This allows us to validate whether or not a revInfo entry contains a
presently valid issuer, from the existing mapping. Coupled with the
changeset to identify the issuer on revocation, we can begin adding
capabilities to tidy to update this association, decreasing CRL build
time and increasing the performance of OCSP.

Signed-off-by: Alexander Scheel <[email protected]>
Revocation needs to gracefully handle using the old legacy cert bundle,
so fetching issuers (and parsing them) needs to be done slightly
differently than other places. Refactor this from revokeCert into a
common helper that can be used by tidy.

Signed-off-by: Alexander Scheel <[email protected]>
When revoking a certificate, we need to associate the issuer that signed
its certificate back to the revInfo entry. Historically this was
performed during CRL building (and still remains so), but when running
without CRL building and with only OCSP, performance will degrade as the
issuer needs to be found each time.

Instead, allow the tidy operation to take over this role, allowing us to
increase the performance of OCSP and CRL in this scenario, by decoupling
issuer identification from CRL building in the ideal case.

Signed-off-by: Alexander Scheel <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
Signed-off-by: Alexander Scheel <[email protected]>
Finish adding metrics, status messages about new tidy operation.

Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy cipherboy force-pushed the cipherboy-tidy-associate-revoked-certs branch from 7d50d0c to 78d9b3d Compare August 26, 2022 16:35
Copy link
Contributor

@stevendpclark stevendpclark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@cipherboy cipherboy enabled auto-merge (squash) August 26, 2022 16:48
@cipherboy cipherboy merged commit 6e69145 into main Aug 26, 2022
@cipherboy cipherboy deleted the cipherboy-tidy-associate-revoked-certs branch December 1, 2022 14:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants