Don’t try to revoke child keys for non-existing resource classes. (#1207

) This PR adds a check whether the resource class exists before applying a “child revoke key” command. This fixes a crash where revoking a parent removed a resource class which then lead to children revoking keys for that now non-existing resource class. The change will cause to simply send an OK response to such requests.
NLnetLabs · Jun 17, 2024 · 96ce18e · 96ce18e
1 parent b45f734
commit 96ce18e
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/src/daemon/ca/certauth.rs b/src/daemon/ca/certauth.rs
@@ -905,6 +905,15 @@ impl CertAuth {
     fn child_revoke_key(&self, child_handle: ChildHandle, request: RevocationRequest) -> KrillResult<Vec<CaEvt>> {
         let (rcn, key) = request.unpack();
 
+        if !self.resources.contains_key(&rcn) {
+            // This request is for a resource class we don't have. We should
+            // not get such requests but telling this to a child may confuse
+            // them more, so just return with an empty vec of events - there
+            // is no work to do - and ensure that the child just gets a
+            // confirmation where this is called.
+            return Ok(vec![])
+        }
+
         let child = self.get_child(&child_handle)?;
 
         if !child.is_issued(&key) {