ca: Pass OCSP Must-Staple from CSR into generated certificate

[wgreenberg]

This will allow for extensions such as OCSP stapling. Happy to add a test if desired, also I wasn't sure if it's expected to filter for specific extensions or to pass them wholesale onto the cert?

Fixes #433

[jsha]

I would prefer to look for just the Must Staple extension and set that, which is what Boulder does. It's quite dangerous to pass through arbitrary extensions from the CSR, because some extensions change the semantics of certificates in dramatic ways. Of course Pebble is a testing CA but we should still avoid creating dangerous code for someone to possibly emulate. :D

[aarongable]

Directly appending the extension from the CSR is still slightly dangerous, as we are directly carrying over the critical bit. Boulder has a pre-built OCSP must-staple extension, and it uses that both to detect must-staple in the CSR and include must-staple in the resulting cert. That way Boulder can guarantee that the extension is never critical.

What you have here is probably fine for Pebble, but if you want to be even safer that's a pattern you could follow.

[wgreenberg]

ah nice, I'll do that! I wasn't sure how risky the critical value was, but that makes sense.

[aarongable]

Seems like this log line should be replaced by parsing the resulting cert and inspecting its extensions to confirm the inclusion of must-staple.

[wgreenberg]

Oh shoot, I actually didn't mean to include this file, it was just for debugging. Though I could turn it into a full test, if that seems desirable

[aarongable]

I think it's great to have a test for this!

[wgreenberg]

Added some unit tests and modeled this after Boulder's approach. Ready for review again!

[mcpherrinm]

Can you rebase or merge in main please? We've merged some fixes in the last few day for pebble's CI

[wgreenberg]

Should be all set

[mcpherrinm]

thanks. A few things from the linter, otherwise lgtm