envoy: check certificates for must-staple flag and drop them if they are missing the response (#2909)

* envoy: check certificates for must-staple flag and drop them if they are missing the response * Update config/envoyconfig/tls_test.go Co-authored-by: Denis Mishin <dmishin@pomerium.com> Co-authored-by: Denis Mishin <dmishin@pomerium.com>
2025-05-13 00:58:06 +02:00 · 2022-01-10 10:51:56 -07:00 · 2022-01-10 10:51:56 -07:00 · 49fb00c895
commit 49fb00c895
parent 58ca681f40
4 changed files with 63 additions and 3 deletions
--- a/pkg/cryptutil/certificates.go
+++ b/pkg/cryptutil/certificates.go
@ -163,7 +163,7 @@ func EncodePrivateKey(key *ecdsa.PrivateKey) ([]byte, error) {
 // GenerateSelfSignedCertificate generates a self-signed TLS certificate.
 //
 // mostly copied from https://golang.org/src/crypto/tls/generate_cert.go
-func GenerateSelfSignedCertificate(domain string) (*tls.Certificate, error) {
+func GenerateSelfSignedCertificate(domain string, configure ...func(*x509.Certificate)) (*tls.Certificate, error) {
 	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return nil, fmt.Errorf("failed to geneate private key: %w", err)
@ -175,7 +175,7 @@ func GenerateSelfSignedCertificate(domain string) (*tls.Certificate, error) {
 		return nil, fmt.Errorf("failed to generate serial number: %w", err)
 	}

-	template := x509.Certificate{
+	template := &x509.Certificate{
 		SerialNumber: serialNumber,
 		Subject: pkix.Name{
 			Organization: []string{"Pomerium"},
@ -191,9 +191,12 @@ func GenerateSelfSignedCertificate(domain string) (*tls.Certificate, error) {
 	} else {
 		template.DNSNames = append(template.DNSNames, domain)
 	}
+	for _, f := range configure {
+		f(template)
+	}

 	publicKeyBytes, err := x509.CreateCertificate(rand.Reader,
-		&template, &template,
+		template, template,
 		privateKey.Public(), privateKey,
 	)
 	if err != nil {