/aia-transport-go

AIA (Authority Information Access) Transport Go provides a pre-configured http.Transport to enable AIA certificate chain resolution for resolving urls with incomplete certificate chains.

Primary LanguageGoMIT LicenseMIT

AIA (Authority Information Access) Transport Go

GoDoc Build Status Go Report Card GolangCI Coverage Status

AIA-Transport-Go provides an http.Transport which uses the AIA (Authority Information Access) X.509 extension to resolve incomplete certificate chains during the tls handshake. See rfc3280 for more details.

Installation

go get github.com/fcjr/aia-transport-go

Usage

tr, err := aia.NewTransport()
if err != nil {
    log.Fatal(err)
}
client := http.Client{
    Transport: tr,
}
res, err := client.Get("https://incomplete-chain.badssl.com/")
if err != nil {
    log.Fatal(err)
}
fmt.Println(res.Status)

Todos

  • Follow single incomplete AIA chain
  • Tests
  • CI & Code Coverage
  • Documentation
  • Chain Caching
  • Certificate Caching
  • Follow all possible issuing urls
  • Benchmarks

Caveats

This library relies on x509.SystemCertPool() to gather the initial system root certificates to validate against. This function is not implemented on windows, however windows will resolve incomplete certificate chains via AIA automatically so this library simply returns a default http.Transport on windows which should be sufficient.1

Footnotes

  1. https://github.com/golang/go/issues/31773#issuecomment-582176197