diff --git a/builtin/logical/pki/crl_util.go b/builtin/logical/pki/crl_util.go index d3337e06ba439..5ecb20f19abf1 100644 --- a/builtin/logical/pki/crl_util.go +++ b/builtin/logical/pki/crl_util.go @@ -1248,11 +1248,6 @@ func augmentWithRevokedIssuers(issuerIDEntryMap map[issuerID]*issuerEntry, issue func buildCRL(sc *storageContext, crlInfo *crlConfig, forceNew bool, thisIssuerId issuerID, revoked []pkix.RevokedCertificate, identifier crlID, crlNumber int64, isDelta bool, lastCompleteNumber int64) (*time.Time, error) { var revokedCerts []pkix.RevokedCertificate - crlLifetime, err := time.ParseDuration(crlInfo.Expiry) - if err != nil { - return nil, errutil.InternalError{Err: fmt.Sprintf("error parsing CRL duration of %s", crlInfo.Expiry)} - } - if crlInfo.Disable { if !forceNew { // In the event of a disabled CRL, we'll have the next time set @@ -1266,12 +1261,15 @@ func buildCRL(sc *storageContext, crlInfo *crlConfig, forceNew bool, thisIssuerI // forceNew option). In previous versions of Vault (1.10 series and // earlier), we'd have queried the certs below, whereas we now have // an assignment from a pre-queried list. - goto WRITE + } else { + revokedCerts = revoked } - revokedCerts = revoked + crlLifetime, err := time.ParseDuration(crlInfo.Expiry) + if err != nil { + return nil, errutil.InternalError{Err: fmt.Sprintf("error parsing CRL duration of %q", crlInfo.Expiry)} + } -WRITE: signingBundle, caErr := sc.fetchCAInfoByIssuerId(thisIssuerId, CRLSigningUsage) if caErr != nil { switch caErr.(type) { diff --git a/builtin/logical/pki/storage.go b/builtin/logical/pki/storage.go index dd4b4174ba501..fe9d5a34916e4 100644 --- a/builtin/logical/pki/storage.go +++ b/builtin/logical/pki/storage.go @@ -1174,6 +1174,12 @@ func (sc *storageContext) getRevocationConfig() (*crlConfig, error) { result.Version = 1 } + // Depending on client version, it's possible that the expiry is unset. + // This sets the default value to prevent issues in downstream code. + if result.Expiry == "" { + result.Expiry = defaultCrlConfig.Expiry + } + return &result, nil }