github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-09 15:38:03 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5119 from Infisical/fix/crl-next-update

Browse Source 
fix: nextUpdate on CRLs default to seven days
This commit is contained in:
carlosmonastyrski
2026-01-06 17:54:33 -03:00
committed by GitHub
parent f297b33fc9 bea0125ba6
commit d19a84825b
4 changed files with 23 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
backend/src/services/certificate-authority/certificate-authority-fns.ts
View File

@@ -5,6 +5,7 @@ import { crypto } from "@app/lib/crypto/cryptography";
import { NotFoundError } from "@app/lib/errors";
import { getProjectKmsCertificateKeyId } from "@app/services/project/project-fns";
import { DEFAULT_CRL_VALIDITY_DAYS } from "../certificate-common/certificate-constants";
import { CertKeyAlgorithm, CertStatus } from "../certificate/certificate-types";
import { TCertificateAuthorityDALFactory } from "./certificate-authority-dal";
import {
@@ -371,10 +372,14 @@ export const rebuildCaCrl = async ({
status: CertStatus.REVOKED
});
const thisUpdate = new Date();
const nextUpdate = new Date(thisUpdate);
nextUpdate.setDate(nextUpdate.getDate() + DEFAULT_CRL_VALIDITY_DAYS);
const crl = await x509.X509CrlGenerator.create({
issuer: ca.internalCa.dn,
thisUpdate: new Date(),
nextUpdate: new Date("2025/12/12"),
thisUpdate,
nextUpdate,
entries: revokedCerts.map((revokedCert) => {
const revocationDate = new Date(revokedCert.revokedAt as Date);
return {

9
backend/src/services/certificate-authority/certificate-authority-queue.ts
View File

@@ -7,6 +7,7 @@ import { daysToMillisecond, secondsToMillis } from "@app/lib/dates";
import { BadRequestError, NotFoundError } from "@app/lib/errors";
import { logger } from "@app/lib/logger";
import { QueueJobs, QueueName, TQueueServiceFactory } from "@app/queue";
import { DEFAULT_CRL_VALIDITY_DAYS } from "@app/services/certificate-common/certificate-constants";
import { TCertificateDALFactory } from "@app/services/certificate/certificate-dal";
import { CertKeyAlgorithm, CertStatus } from "@app/services/certificate/certificate-types";
import { TKmsServiceFactory } from "@app/services/kms/kms-service";
@@ -243,10 +244,14 @@ export const certificateAuthorityQueueFactory = ({
status: CertStatus.REVOKED
});
const thisUpdate = new Date();
const nextUpdate = new Date(thisUpdate);
nextUpdate.setDate(nextUpdate.getDate() + DEFAULT_CRL_VALIDITY_DAYS);
const crl = await x509.X509CrlGenerator.create({
issuer: ca.internalCa.dn,
thisUpdate: new Date(),
nextUpdate: new Date("2025/12/12"), // TODO: depends on configured rebuild interval
thisUpdate,
nextUpdate,
entries: revokedCerts.map((revokedCert) => {
return {
serialNumber: revokedCert.serialNumber,

9
backend/src/services/certificate-authority/internal/internal-certificate-authority-service.ts
View File

@@ -37,6 +37,7 @@ import {
CertStatus,
TAltNameMapping
} from "../../certificate/certificate-types";
import { DEFAULT_CRL_VALIDITY_DAYS } from "../../certificate-common/certificate-constants";
import { TCertificateTemplateDALFactory } from "../../certificate-template/certificate-template-dal";
import { validateCertificateDetailsAgainstTemplate } from "../../certificate-template/certificate-template-fns";
import { TCertificateAuthorityCertDALFactory } from "../certificate-authority-cert-dal";
@@ -313,10 +314,14 @@ export const internalCertificateAuthorityServiceFactory = ({
}
// create empty CRL
const thisUpdate = new Date();
const nextUpdate = new Date(thisUpdate);
nextUpdate.setDate(nextUpdate.getDate() + DEFAULT_CRL_VALIDITY_DAYS);
const crl = await x509.X509CrlGenerator.create({
issuer: internalCa.dn,
thisUpdate: new Date(),
nextUpdate: new Date("2025/12/12"), // TODO: change
thisUpdate,
nextUpdate,
entries: [],
signingAlgorithm: alg,
signingKey: keys.privateKey

2
backend/src/services/certificate-common/certificate-constants.ts
View File

@@ -195,6 +195,8 @@ export const CERTIFICATE_RENEWAL_CONFIG = {
QUEUE_START_DELAY_MS: 5000
} as const;
export const DEFAULT_CRL_VALIDITY_DAYS = 7;
export const SAN_TYPE_OPTIONS = Object.values(CertSubjectAlternativeNameType);
export const KEY_USAGE_OPTIONS = Object.values(CertKeyUsageType);
export const EXTENDED_KEY_USAGE_OPTIONS = Object.values(CertExtendedKeyUsageType);