mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-30 10:56:28 +02:00
envoy: check certificates for must-staple flag and drop them if they are missing the response (#2909)
* envoy: check certificates for must-staple flag and drop them if they are missing the response * Update config/envoyconfig/tls_test.go Co-authored-by: Denis Mishin <dmishin@pomerium.com> Co-authored-by: Denis Mishin <dmishin@pomerium.com>
This commit is contained in:
Caleb Doxsey
GitHub
parent
58ca681f40
commit
49fb00c895
4 changed files with 63 additions and 3 deletions
|
|
@ -648,6 +648,12 @@ func (b *Builder) buildDownstreamTLSContext(ctx context.Context,
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
err = validateCertificate(cert)
|
||||||
|
if err != nil {
|
||||||
|
log.Warn(ctx).Str("domain", domain).Err(err).Msg("invalid certificate for domain")
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
var alpnProtocols []string
|
var alpnProtocols []string
|
||||||
switch cfg.Options.GetCodecType() {
|
switch cfg.Options.GetCodecType() {
|
||||||
case config.CodecTypeHTTP1:
|
case config.CodecTypeHTTP1:
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,10 @@
|
||||||
package envoyconfig
|
package envoyconfig
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto/tls"
|
||||||
|
"crypto/x509"
|
||||||
|
"encoding/asn1"
|
||||||
|
"fmt"
|
||||||
"net/url"
|
"net/url"
|
||||||
"regexp"
|
"regexp"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
@ -8,6 +12,8 @@ import (
|
||||||
envoy_type_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
|
envoy_type_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
var oidMustStaple = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 24}
|
||||||
|
|
||||||
func (b *Builder) buildSubjectAlternativeNameMatcher(
|
func (b *Builder) buildSubjectAlternativeNameMatcher(
|
||||||
dst *url.URL,
|
dst *url.URL,
|
||||||
overrideName string,
|
overrideName string,
|
||||||
|
|
@ -50,3 +56,32 @@ func (b *Builder) buildSubjectNameIndication(
|
||||||
sni = strings.Replace(sni, "*", "example", -1)
|
sni = strings.Replace(sni, "*", "example", -1)
|
||||||
return sni
|
return sni
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// validateCertificate validates that a certificate can be used with Envoy's TLS stack.
|
||||||
|
func validateCertificate(cert *tls.Certificate) error {
|
||||||
|
if len(cert.Certificate) == 0 {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// parse the x509 certificate because leaf isn't always filled in
|
||||||
|
x509cert, err := x509.ParseCertificate(cert.Certificate[0])
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// check to make sure that if we require an OCSP staple that its available.
|
||||||
|
if len(cert.OCSPStaple) == 0 && hasMustStaple(x509cert) {
|
||||||
|
return fmt.Errorf("certificate requires OCSP stapling but has no OCSP staple response")
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func hasMustStaple(cert *x509.Certificate) bool {
|
||||||
|
for _, ext := range cert.Extensions {
|
||||||
|
if ext.Id.Equal(oidMustStaple) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,12 +1,16 @@
|
||||||
package envoyconfig
|
package envoyconfig
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto/x509"
|
||||||
|
"crypto/x509/pkix"
|
||||||
"net/url"
|
"net/url"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
|
||||||
"github.com/pomerium/pomerium/internal/testutil"
|
"github.com/pomerium/pomerium/internal/testutil"
|
||||||
|
"github.com/pomerium/pomerium/pkg/cryptutil"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestBuildSubjectAlternativeNameMatcher(t *testing.T) {
|
func TestBuildSubjectAlternativeNameMatcher(t *testing.T) {
|
||||||
|
|
@ -31,3 +35,15 @@ func TestBuildSubjectNameIndication(t *testing.T) {
|
||||||
assert.Equal(t, "example.org", b.buildSubjectNameIndication(&url.URL{Host: "example.com:1234"}, "example.org"))
|
assert.Equal(t, "example.org", b.buildSubjectNameIndication(&url.URL{Host: "example.com:1234"}, "example.org"))
|
||||||
assert.Equal(t, "example.example.org", b.buildSubjectNameIndication(&url.URL{Host: "example.com:1234"}, "*.example.org"))
|
assert.Equal(t, "example.example.org", b.buildSubjectNameIndication(&url.URL{Host: "example.com:1234"}, "*.example.org"))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestValidateCertificate(t *testing.T) {
|
||||||
|
cert, err := cryptutil.GenerateSelfSignedCertificate("example.com", func(tpl *x509.Certificate) {
|
||||||
|
// set the must staple flag on the cert
|
||||||
|
tpl.ExtraExtensions = append(tpl.ExtraExtensions, pkix.Extension{
|
||||||
|
Id: oidMustStaple,
|
||||||
|
})
|
||||||
|
})
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
assert.Error(t, validateCertificate(cert), "should return an error for a must-staple TLS certificate that has no stapled OCSP response")
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -163,7 +163,7 @@ func EncodePrivateKey(key *ecdsa.PrivateKey) ([]byte, error) {
|
||||||
// GenerateSelfSignedCertificate generates a self-signed TLS certificate.
|
// GenerateSelfSignedCertificate generates a self-signed TLS certificate.
|
||||||
//
|
//
|
||||||
// mostly copied from https://golang.org/src/crypto/tls/generate_cert.go
|
// mostly copied from https://golang.org/src/crypto/tls/generate_cert.go
|
||||||
func GenerateSelfSignedCertificate(domain string) (*tls.Certificate, error) {
|
func GenerateSelfSignedCertificate(domain string, configure ...func(*x509.Certificate)) (*tls.Certificate, error) {
|
||||||
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
|
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to geneate private key: %w", err)
|
return nil, fmt.Errorf("failed to geneate private key: %w", err)
|
||||||
|
|
@ -175,7 +175,7 @@ func GenerateSelfSignedCertificate(domain string) (*tls.Certificate, error) {
|
||||||
return nil, fmt.Errorf("failed to generate serial number: %w", err)
|
return nil, fmt.Errorf("failed to generate serial number: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
template := x509.Certificate{
|
template := &x509.Certificate{
|
||||||
SerialNumber: serialNumber,
|
SerialNumber: serialNumber,
|
||||||
Subject: pkix.Name{
|
Subject: pkix.Name{
|
||||||
Organization: []string{"Pomerium"},
|
Organization: []string{"Pomerium"},
|
||||||
|
|
@ -191,9 +191,12 @@ func GenerateSelfSignedCertificate(domain string) (*tls.Certificate, error) {
|
||||||
} else {
|
} else {
|
||||||
template.DNSNames = append(template.DNSNames, domain)
|
template.DNSNames = append(template.DNSNames, domain)
|
||||||
}
|
}
|
||||||
|
for _, f := range configure {
|
||||||
|
f(template)
|
||||||
|
}
|
||||||
|
|
||||||
publicKeyBytes, err := x509.CreateCertificate(rand.Reader,
|
publicKeyBytes, err := x509.CreateCertificate(rand.Reader,
|
||||||
&template, &template,
|
template, template,
|
||||||
privateKey.Public(), privateKey,
|
privateKey.Public(), privateKey,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue