Support for X.509 Authority Information Access extensions

Hi, I was wondering whether APIs such URLSession or SecTrustEvaluateWithError support the "Authority Information Access" X.509 extension (https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.2.1) when they are resolving certificate chains?

ie. If a TLS server is not providing an intermediate certificate but its URI is specified by an AIA extension will URLSession (and SecTrustEvaluateWithError) be able to successfully validate the certificate chain?

Local experiments seem to indicate URLSession might, but I can't find any definitive API documentation to confirm this.

Thanks in advance, Rob

Answered by ForumsContributor in

Hi, I was wondering whether APIs such URLSession or SecTrustEvaluateWithError support the "Authority Information Access" X.509 extension (https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.2.1) when they are resolving certificate chains? ie. If a TLS server is not providing an intermediate certificate but its URI is specified by an AIA extension will URLSession (and SecTrustEvaluateWithError) be able to successfully validate the certificate chain?

Typically the data provided in the Authority Information Access extension is used to check the revocation status of the certificate being used for TLS from a trusted CA. For example in the RFC: "Information and services may include on-line validation services and CA policy data."

When your certificate chain is validated, if OCSP is performed and it succeeds then this justs tells the system that the certificate has not been revoked and the handshake can proceed.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Adding on to my previous answer, "Authority Information Access" can be used to obtain missing intermediate information but is not something a client should rely on. Instead, a client should make sure they are connecting to a peer that provides a full certificate chain when the server hello packet is sent during the TLS handshake. This will always ensure that the chain is able to be validated and does not rely on an extension to do so.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Accepted Answer

No problem. It is possible if the leaf certificate was issued directly from the root certificate and the client can validate the cryptographic chain of trust to that root, that the TLS handshake be valid on iOS without an intermediate. This is very uncommon, but is not unheard of.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Support for X.509 Authority Information Access extensions
 
 
Q