Default crl expiry

Ref: #17642

builtin/logical/pki/crl_util.go

@@ -1248,11 +1248,6 @@ func augmentWithRevokedIssuers(issuerIDEntryMap map[issuerID]*issuerEntry, issue
 func buildCRL(sc *storageContext, crlInfo *crlConfig, forceNew bool, thisIssuerId issuerID, revoked []pkix.RevokedCertificate, identifier crlID, crlNumber int64, isDelta bool, lastCompleteNumber int64) (*time.Time, error) {
 	var revokedCerts []pkix.RevokedCertificate
 
-	crlLifetime, err := time.ParseDuration(crlInfo.Expiry)
-	if err != nil {
-		return nil, errutil.InternalError{Err: fmt.Sprintf("error parsing CRL duration of %s", crlInfo.Expiry)}
-	}
-
 	if crlInfo.Disable {
 		if !forceNew {
 			// In the event of a disabled CRL, we'll have the next time set
@@ -1266,12 +1261,15 @@ func buildCRL(sc *storageContext, crlInfo *crlConfig, forceNew bool, thisIssuerI
 		// forceNew option). In previous versions of Vault (1.10 series and
 		// earlier), we'd have queried the certs below, whereas we now have
 		// an assignment from a pre-queried list.
-		goto WRITE
+	} else {
+		revokedCerts = revoked
 	}
 
-	revokedCerts = revoked
+	crlLifetime, err := time.ParseDuration(crlInfo.Expiry)
+	if err != nil {
+		return nil, errutil.InternalError{Err: fmt.Sprintf("error parsing CRL duration of %q", crlInfo.Expiry)}
+	}
 
-WRITE:
 	signingBundle, caErr := sc.fetchCAInfoByIssuerId(thisIssuerId, CRLSigningUsage)
 	if caErr != nil {
 		switch caErr.(type) {

builtin/logical/pki/storage.go

@@ -1174,6 +1174,12 @@ func (sc *storageContext) getRevocationConfig() (*crlConfig, error) {
 		result.Version = 1
 	}
 
+	// Depending on client version, it's possible that the expiry is unset.
+	// This sets the default value to prevent issues in downstream code.
+	if result.Expiry == "" {
+		result.Expiry = defaultCrlConfig.Expiry
+	}
+
 	return &result, nil
 }