zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-07-21 18:26:12 +02:00
Code Issues Projects Releases Packages Wiki Activity

Ignore invalid old CRL when performing update. (#1946)

Browse source 
There is no point comparing the old CRL to the new ones when the old one
is invalid. This could happen when the CA cert rotates, after which the
old CRL stop being valid as it fails signature verification against the
new cert.

This change will allow us to keep updating the CRL after a CA rotation without
having to manually delete the old CRL from the database.

See b/270983553.

<!-- Reviewable:start -->
- - -
This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/google/nomulus/1946)
<!-- Reviewable:end -->
This commit is contained in:
Lai Jiang 2023-02-28 10:00:18 -05:00 committed by GitHub
parent 16836475cd
commit 33f9bc30b7
2 changed files with 14 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

12
core/src/main/java/google/registry/tmch/TmchCertificateAuthority.java
View file

@ -22,6 +22,7 @@ import static google.registry.util.ResourceUtils.readResourceUtf8;
import com.github.benmanes.caffeine.cache.CacheLoader;
import com.github.benmanes.caffeine.cache.LoadingCache;
import com.google.common.collect.ImmutableMap;
import com.google.common.flogger.FluentLogger;
import google.registry.config.RegistryConfig.Config;
import google.registry.config.RegistryConfig.ConfigModule.TmchCaMode;
import google.registry.model.CacheUtils;
@ -55,6 +56,7 @@ public final class TmchCertificateAuthority {
private static final String ROOT_CRT_PILOT_FILE = "icann-tmch-pilot.crt";
private static final String CRL_FILE = "icann-tmch.crl";
private static final String CRL_PILOT_FILE = "icann-tmch-pilot.crl";
private static final FluentLogger logger = FluentLogger.forEnclosingClass();
private final TmchCaMode tmchCaMode;
private final Clock clock;
@ -142,8 +144,14 @@ public final class TmchCertificateAuthority {
* @see X509Utils#verifyCrl
*/
public void updateCrl(String asciiCrl, String url) throws GeneralSecurityException {
X509CRL crl = X509Utils.loadCrl(asciiCrl);
X509Utils.verifyCrl(getAndValidateRoot(), getCrl(), crl, clock.nowUtc().toDate());
X509CRL newCrl = X509Utils.loadCrl(asciiCrl);
X509CRL oldCrl = null;
try {
oldCrl = getCrl();
} catch (Exception e) {
logger.atWarning().withCause(e).log("Old CRL is invalid, ignored during CRL update.");
}
X509Utils.verifyCrl(getAndValidateRoot(), oldCrl, newCrl, clock.nowUtc().toDate());
TmchCrl.set(asciiCrl, url);
}