Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ra: revoke with explicit CRL shard #7944

Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

ra: revoke with explicit CRL shard #7944

wants to merge 11 commits into from

Conversation

jsha
Copy link
Contributor

@jsha jsha commented Jan 13, 2025
edited
Loading

In RA.RevokedCertificate, if the certificate being revoked has a crlDistributionPoints extension, parse the URL and pass the appropriate shard to the SA.

This required some changes to the admin tool. When a malformed certificate is revoked, we don't have a parsed copy of the certificate to extract a CRL URL from. So, specifically when a malformed certificate is being revoked, allow specifying a CRL shard. Because different certificates will have different shards, require one-at-a-time revocation for malformed certificates.

To support that refactoring, move the serial-cleaning functionality earlier in the admin tool's flow.

Also, split out one of the cases handled by the revokeCertificate helper in the RA. For admin revocations, we need to accept a human-specified ShardIdx, so call the SA directly in that case (and skip stat increment since admin revocations aren't useful for metrics). This allows revokeCertificate to be a more helpful helper, by extracting serial, issuer ID, and CRL shard automatically from an *x509.Certificate.

Note: we don't yet issue certificates with the crlDistributionPoints extension, so this code will not be active until we start doing so.

Part of #7094.

@jsha jsha requested a review from a team as a code owner January 13, 2025 20:41
@jsha jsha requested a review from aarongable January 13, 2025 20:41
@jsha jsha force-pushed the revoke-with-explicit-shard branch from 24ec095 to ae2e387 Compare January 13, 2025 23:26
aarongable
aarongable reviewed Jan 14, 2025
View reviewed changes
cmd/admin/cert.go Show resolved Hide resolved
cmd/admin/cert.go Outdated Show resolved Hide resolved
cmd/admin/cert_test.go Show resolved Hide resolved
ra/proto/ra.proto Outdated Show resolved Hide resolved
ra/ra.go Show resolved Hide resolved
ra/ra.go Show resolved Hide resolved
@jsha jsha mentioned this pull request Jan 14, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aarongable aarongable aarongable left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jsha @aarongable