Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider adding support for retrieving intermediate certificates using the Authority Information Access (AIA) field of compatible certificates #705

Open
atc0005 opened this issue Nov 16, 2023 · 3 comments
Open

Consider adding support for retrieving intermediate certificates using the Authority Information Access (AIA) field of compatible certificates #705

atc0005 opened this issue Nov 16, 2023 · 3 comments
Assignees
@atc0005
Labels
app/lscert enhancement New feature or request question Further information is requested
Milestone
Future

Comments

@atc0005
Copy link
Owner

atc0005 commented Nov 16, 2023
edited
Loading

Overview

Currently this field (if available) is not used or emitted in certificate evaluation output.

As an example, this intermediate certificate specifies where to retrieve the certificate used to sign it:

InCommon RSA Server CA 2
	Authority Information Access
		Not Critical
		CA Issuers: URI: http://crt.usertrust.com/USERTrustRSAAAACA.crt
		OCSP Responder: URI: http://ocsp.usertrust.com

The last three lines indicate (subfields?) additional information, one line which provides a way to retrieve the next intermediate (or presumably root?) in the chain.

This field is new to me, so I don't know what support is available for parsing it, etc.

At a glance, some earlier intermediate and root certificates do not appear to include it.

References
@atc0005 atc0005 added enhancement New feature or request question Further information is requested app/lscert labels Nov 16, 2023
@atc0005 atc0005 added this to the Future milestone Nov 16, 2023
@atc0005 atc0005 self-assigned this Nov 16, 2023
@atc0005 atc0005 changed the title Consider adding support for retrieving intermediate certificates using Authority Information Access (AIA) field of leaf certificate Consider adding support for retrieving intermediate certificates using the Authority Information Access (AIA) field of compatible certificates Nov 16, 2023
@atc0005
Copy link
Owner Author

atc0005 commented Nov 16, 2023

Could be useful to provide a flag which indicates missing intermediate/root certificates from a cert pool should be retrieved (if possible) using the AIA CA Issuers subfield value.

@atc0005
Copy link
Owner Author

atc0005 commented Sep 28, 2024

Additional references:

@atc0005
Copy link
Owner Author

atc0005 commented Sep 28, 2024

PKCS7 support

Needed for processing some certificate bundles linked from AIA cert fields.

very brief glances over repos surfaced from pkg.go.dev search below.

https://pkg.go.dev/search?q=pkcs7&m=

https://github.com/cloudflare/cfssl
Mixed feelings re complexity
Might be pulling in a lot of dependencies

https://github.com/smallstep/pkcs7
Looks very promising
Presumably lighter on dependencies

https://pkg.go.dev/go.mozilla.org/pkcs7
https://github.com/mozilla-services/pkcs7
Ancestor of smallstep/pkcs7
Still seeing activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@atc0005 atc0005

Labels
app/lscert enhancement New feature or request question Further information is requested
Projects
None yet
Milestone
Future
Development

No branches or pull requests
1 participant
@atc0005