/
tls.go
110 lines (97 loc) · 2.95 KB
/
tls.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
package envoyconfig
import (
"crypto/tls"
"crypto/x509"
"encoding/asn1"
"fmt"
"net/netip"
"net/url"
"regexp"
"strings"
envoy_extensions_transport_sockets_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
envoy_type_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
)
var oidMustStaple = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 24}
func (b *Builder) buildSubjectAltNameMatcher(
dst *url.URL,
overrideName string,
) *envoy_extensions_transport_sockets_tls_v3.SubjectAltNameMatcher {
sni := dst.Hostname()
if overrideName != "" {
sni = overrideName
}
if ip, err := netip.ParseAddr(sni); err == nil {
// Strip off any IPv6 zone.
if ip.Zone() != "" {
ip = ip.WithZone("")
}
return &envoy_extensions_transport_sockets_tls_v3.SubjectAltNameMatcher{
SanType: envoy_extensions_transport_sockets_tls_v3.SubjectAltNameMatcher_IP_ADDRESS,
Matcher: &envoy_type_matcher_v3.StringMatcher{
MatchPattern: &envoy_type_matcher_v3.StringMatcher_Exact{
Exact: ip.String(),
},
},
}
}
if strings.Contains(sni, "*") {
pattern := regexp.QuoteMeta(sni)
pattern = strings.Replace(pattern, "\\*", ".*", -1)
return &envoy_extensions_transport_sockets_tls_v3.SubjectAltNameMatcher{
SanType: envoy_extensions_transport_sockets_tls_v3.SubjectAltNameMatcher_DNS,
Matcher: &envoy_type_matcher_v3.StringMatcher{
MatchPattern: &envoy_type_matcher_v3.StringMatcher_SafeRegex{
SafeRegex: &envoy_type_matcher_v3.RegexMatcher{
EngineType: &envoy_type_matcher_v3.RegexMatcher_GoogleRe2{
GoogleRe2: &envoy_type_matcher_v3.RegexMatcher_GoogleRE2{},
},
Regex: pattern,
},
},
},
}
}
return &envoy_extensions_transport_sockets_tls_v3.SubjectAltNameMatcher{
SanType: envoy_extensions_transport_sockets_tls_v3.SubjectAltNameMatcher_DNS,
Matcher: &envoy_type_matcher_v3.StringMatcher{
MatchPattern: &envoy_type_matcher_v3.StringMatcher_Exact{
Exact: sni,
},
},
}
}
func (b *Builder) buildSubjectNameIndication(
dst *url.URL,
overrideName string,
) string {
sni := dst.Hostname()
if overrideName != "" {
sni = overrideName
}
sni = strings.Replace(sni, "*", "example", -1)
return sni
}
// validateCertificate validates that a certificate can be used with Envoy's TLS stack.
func validateCertificate(cert *tls.Certificate) error {
if len(cert.Certificate) == 0 {
return nil
}
// parse the x509 certificate because leaf isn't always filled in
x509cert, err := x509.ParseCertificate(cert.Certificate[0])
if err != nil {
return err
}
// check to make sure that if we require an OCSP staple that its available.
if len(cert.OCSPStaple) == 0 && hasMustStaple(x509cert) {
return fmt.Errorf("certificate requires OCSP stapling but has no OCSP staple response")
}
return nil
}
func hasMustStaple(cert *x509.Certificate) bool {
for _, ext := range cert.Extensions {
if ext.Id.Equal(oidMustStaple) {
return true
}
}
return false
}