Skip to content

Commit

Permalink
ca: only pass the OCSP Must-Staple extension
Browse files Browse the repository at this point in the history
  • Loading branch information
@wgreenberg
wgreenberg committed Feb 26, 2024
1 parent b89fb7e commit f337632
Show file tree
Hide file tree
Showing 2 changed files with 74 additions and 1 deletion.
15 changes: 14 additions & 1 deletion ca/ca.go
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package ca

import (
"bytes"
"crypto"
"crypto/rand"
"crypto/rsa"
Expand Down Expand Up @@ -373,6 +374,10 @@ func New(log *log.Logger, db *db.MemoryStore, ocspResponderURL string, alternate
return ca
}

func isOCSPMustStapleExtension(ext pkix.Extension) bool {
return ext.Id.Equal(asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 24}) && bytes.Equal(ext.Value, []byte{0x30, 0x03, 0x02, 0x01, 0x05})
}

func (ca *CAImpl) CompleteOrder(order *core.Order) {
// Lock the order for reading
order.RLock()
Expand All @@ -397,9 +402,17 @@ func (ca *CAImpl) CompleteOrder(order *core.Order) {
authz.RUnlock()
}

// Build a list of approved extensions to include in the certificate
var extensions []pkix.Extension
for _, ext := range order.ParsedCSR.Extensions {
if isOCSPMustStapleExtension(ext) {
extensions = append(extensions, ext)
}
}

// issue a certificate for the csr
csr := order.ParsedCSR
cert, err := ca.newCertificate(csr.DNSNames, csr.IPAddresses, csr.PublicKey, order.AccountID, order.NotBefore, order.NotAfter, csr.Extensions)
cert, err := ca.newCertificate(csr.DNSNames, csr.IPAddresses, csr.PublicKey, order.AccountID, order.NotBefore, order.NotAfter, extensions)
if err != nil {
ca.log.Printf("Error: unable to issue order: %s", err.Error())
return
Expand Down
60 changes: 60 additions & 0 deletions ca/ca_test.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
package ca

import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/asn1"
"log"
"net"
"os"
"testing"
"time"

"github.com/letsencrypt/pebble/v2/acme"
"github.com/letsencrypt/pebble/v2/core"
"github.com/letsencrypt/pebble/v2/db"
)

func TestOCSPMustStaple(t *testing.T) {
logger := log.New(os.Stdout, "Pebble ", log.LstdFlags)
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
panic(err)
}
db := db.NewMemoryStore()
ca := New(logger, db, "", 0, 1, 0)
csr := x509.CertificateRequest{
DNSNames: []string{"test.org"},
IPAddresses: []net.IP{[]byte{10, 255, 0, 0}},
PublicKey: &privateKey.PublicKey,
Extensions: []pkix.Extension{
{
Id: asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 24},
Critical: false,
Value: []byte{0x30, 0x03, 0x02, 0x01, 0x05},
},
},
}
var uniquenames []acme.Identifier
uniquenames = append(uniquenames, acme.Identifier{Value: "13.12.13.12", Type: acme.IdentifierIP})
order := &core.Order{
ID: "randomstring",
AccountID: "accountid",
ParsedCSR: &csr,
BeganProcessing: true,
Order: acme.Order{
Status: acme.StatusPending,
Expires: time.Now().AddDate(0, 0, 1).UTC().Format(time.RFC3339),
Identifiers: uniquenames,
NotBefore: time.Now().UTC().Format(time.RFC3339),
NotAfter: time.Now().AddDate(30, 0, 0).UTC().Format(time.RFC3339),
},
ExpiresDate: time.Now().AddDate(0, 0, 1).UTC(),
}

ca.CompleteOrder(order)
log.Printf("cert: %+v", order.CertificateObject.Cert)
}

0 comments on commit f337632

Please sign in to comment.