Skip to content

fix(crl): enforce CRL metadata with scoped legacy backfill#7531

Merged
vitormattos merged 5 commits intomainfrom
fix/7495-crl-revoke-legacy-metadata
Apr 21, 2026
Merged

fix(crl): enforce CRL metadata with scoped legacy backfill#7531
vitormattos merged 5 commits intomainfrom
fix/7495-crl-revoke-legacy-metadata

Conversation

@vitormattos
Copy link
Copy Markdown
Member

@vitormattos vitormattos commented Apr 21, 2026
edited
Loading

Summary

  • enforce strict CRL metadata handling in revocation flow: revocation now requires instance_id, generation and engine
  • add migration Version17004Date20260421000000 to backfill only problematic legacy rows (status=issued with missing CRL metadata)
  • keep migration fail-safe: if metadata source is not deterministic, it skips backfill instead of writing guessed values
  • limit migration impact to the problematic subset; no file operations and no delete/drop/truncate behavior
  • add regression test for SerialNumberService to guarantee new certificates persist CRL metadata
  • make CRL test less brittle by avoiding assertion on internal error text

Testing

  • composer test:unit -- --filter CrlServiceTest
  • composer test:unit -- --filter CrlApiControllerTest
  • composer test:unit -- --filter SerialNumberServiceTest

Closes #7495

@vitormattos
fix(crl): revoke legacy certificates without CA metadata
fbbf13f 
Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
@github-project-automation github-project-automation Bot moved this to 0. Needs triage in Roadmap Apr 21, 2026
@vitormattos
fix(crl): enforce metadata through migration and strict revocation
70fd988 
Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
@vitormattos
refactor(migration): scope CRL backfill to issued legacy rows
6750818 
Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
@vitormattos
test: replace deprecated PHPUnit isType matcher
a6b0980 
Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
@vitormattos
test(crl): avoid coupling to internal error text
63e4325 
Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
@vitormattos vitormattos changed the title fix(crl): revoke legacy certificates without CA metadata fix(crl): enforce CRL metadata with scoped legacy backfill Apr 21, 2026
@vitormattos
Copy link
Copy Markdown
Member Author

vitormattos commented Apr 21, 2026

/backport to stable33

@vitormattos
Copy link
Copy Markdown
Member Author

vitormattos commented Apr 21, 2026

/backport to stable32

@vitormattos vitormattos merged commit de8437c into main Apr 21, 2026
77 checks passed
@vitormattos vitormattos deleted the fix/7495-crl-revoke-legacy-metadata branch April 21, 2026 18:24
@backportbot-libresign
Copy link
Copy Markdown

backportbot-libresign Bot commented Apr 21, 2026

The backport to stable32 failed. Please do this backport manually.

# Switch to the target branch and update it
git checkout stable32
git pull origin stable32

# Create the new backport branch
git checkout -b backport/7531/stable32

# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts, resolve them
git cherry-pick fbbf13fd 70fd9888 67508186 a6b0980a 63e43257

# Push the cherry pick commit to the remote repository and open a pull request
git push origin backport/7531/stable32

Error: Failed to push branch backport/7531/stable32: remote: Invalid username or token. Password authentication is not supported for Git operations.
fatal: Authentication failed for 'https://github.com/LibreSign/libresign.git/'

Learn more about backports at https://docs.nextcloud.com/server/stable/go.php?to=developer-backports.

@backportbot-libresign backportbot-libresign Bot mentioned this pull request Apr 21, 2026
Merged
@vitormattos vitormattos mentioned this pull request Apr 21, 2026
Closed
@vitormattos
Copy link
Copy Markdown
Member Author

vitormattos commented Apr 21, 2026

/backport to stable32

@backportbot-libresign backportbot-libresign Bot mentioned this pull request Apr 21, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Roadmap
Status: 4. to release

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[NC 33] TypeError: getNextCrlNumber(): Argument #1 ($instanceId) must be of type string, null given on Certificate Revocation

1 participant

@vitormattos