From 9685c94459ee8e8d87579ea39d0aa0f348ce19a9 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Mon, 22 Feb 2016 13:36:17 -0500 Subject: [PATCH 1/2] Do not delete certs (or revocation information) to avoid potential issues related to time synchronization. A function will be added to allow operators to perform cleanup at chosen times. --- builtin/logical/pki/crl_util.go | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/builtin/logical/pki/crl_util.go b/builtin/logical/pki/crl_util.go index 625c5db797..fe9be01f44 100644 --- a/builtin/logical/pki/crl_util.go +++ b/builtin/logical/pki/crl_util.go @@ -40,14 +40,6 @@ func revokeCert(b *backend, req *logical.Request, serial string) (*logical.Respo } } if certEntry != nil { - // Verify that it is also deleted from certs/ - // in case of partial failure from an earlier run. - certEntry, _ = fetchCertBySerial(req, "certs/", serial) - if certEntry == nil { - // Everything seems sane, so don't rebuild the CRL - return nil, nil - } - // Set the revocation info to the existing values alreadyRevoked = true @@ -111,8 +103,6 @@ func revokeCert(b *backend, req *logical.Request, serial string) (*logical.Respo return nil, fmt.Errorf("Error encountered during CRL building: %s", crlErr) } - err = req.Storage.Delete("certs/" + serial) - if err != nil { return nil, fmt.Errorf("Error deleting cert from valid-certs location") } @@ -162,14 +152,6 @@ func buildCRL(b *backend, req *logical.Request) error { return certutil.InternalError{Err: fmt.Sprintf("Unable to parse stored revoked certificate with serial %s: %s", serial, err)} } - if revokedCert.NotAfter.Before(time.Now()) { - err = req.Storage.Delete(serial) - if err != nil { - return certutil.InternalError{Err: fmt.Sprintf("Unable to delete revoked, expired certificate with serial %s: %s", serial, err)} - } - continue - } - revokedCerts = append(revokedCerts, pkix.RevokedCertificate{ SerialNumber: revokedCert.SerialNumber, RevocationTime: time.Unix(revInfo.RevocationTime, 0), From db8b4287e35b61b1d57cabbebbac6665d544c2b5 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Mon, 22 Feb 2016 16:11:01 -0500 Subject: [PATCH 2/2] Address review feedback --- builtin/logical/pki/crl_util.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/builtin/logical/pki/crl_util.go b/builtin/logical/pki/crl_util.go index fe9be01f44..bdd06362fc 100644 --- a/builtin/logical/pki/crl_util.go +++ b/builtin/logical/pki/crl_util.go @@ -103,10 +103,6 @@ func revokeCert(b *backend, req *logical.Request, serial string) (*logical.Respo return nil, fmt.Errorf("Error encountered during CRL building: %s", crlErr) } - if err != nil { - return nil, fmt.Errorf("Error deleting cert from valid-certs location") - } - return &logical.Response{ Data: map[string]interface{}{ "revocation_time": revInfo.RevocationTime,