1 files changed, 16 insertions, 1 deletions

diff --git a/vendor/github.com/xenolf/lego/acme/crypto.go b/vendor/github.com/xenolf/lego/acme/crypto.go
index af97f5d1e..c63b23b99 100644
--- a/vendor/github.com/xenolf/lego/acme/crypto.go
+++ b/vendor/github.com/xenolf/lego/acme/crypto.go
@@ -20,6 +20,8 @@ import (
 	"strings"
 	"time"
 
+	"encoding/asn1"
+
 	"golang.org/x/crypto/ocsp"
 )
 
@@ -47,6 +49,12 @@ const (
 	OCSPServerFailed = ocsp.ServerFailed
 )
 
+// Constants for OCSP must staple
+var (
+	tlsFeatureExtensionOID = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 24}
+	ocspMustStapleFeature  = []byte{0x30, 0x03, 0x02, 0x01, 0x05}
+)
+
 // GetOCSPForCert takes a PEM encoded cert or cert bundle returning the raw OCSP response,
 // the parsed response, and an error, if any. The returned []byte can be passed directly
 // into the OCSPStaple property of a tls.Certificate. If the bundle only contains the
@@ -206,7 +214,7 @@ func generatePrivateKey(keyType KeyType) (crypto.PrivateKey, error) {
 	return nil, fmt.Errorf("Invalid KeyType: %s", keyType)
 }
 
-func generateCsr(privateKey crypto.PrivateKey, domain string, san []string) ([]byte, error) {
+func generateCsr(privateKey crypto.PrivateKey, domain string, san []string, mustStaple bool) ([]byte, error) {
 	template := x509.CertificateRequest{
 		Subject: pkix.Name{
 			CommonName: domain,
@@ -217,6 +225,13 @@ func generateCsr(privateKey crypto.PrivateKey, domain string, san []string) ([]b
 		template.DNSNames = san
 	}
 
+	if mustStaple {
+		template.Extensions = append(template.Extensions, pkix.Extension{
+			Id:    tlsFeatureExtensionOID,
+			Value: ocspMustStapleFeature,
+		})
+	}
+
 	return x509.CreateCertificateRequest(rand.Reader, &template, privateKey)
 }