Question: CaCerts operation expects only one self-signed TA

[achuchev]

Hello,

Looking at https://github.com/thales-e-security/estclient/blob/41a90a297bd347fb5029dc39eeee2745e55852e1/utils.go#L115 seems like it is assumed that CaCerts operation must return only one self-signed certificate. However, RFC 7030 in 4.1.3. CA Certificates Response section (see below) does not limit the returned root certs to one. I have a case where I use HTTPS certificate for my EST server issued by one CA, but another CA will be signing the leaf cert generated by the EST client.

Do I understand the logic correctly here?

A successful response MUST be a certs-only CMC Simple PKI Response, as defined in [RFC5272], containing the certificates described in the following paragraph. The HTTP content-type of "application/pkcs7-mime" is used. The Simple PKI Response is sent with a Content-Transfer-Encoding of "base64" [RFC2045].

The EST server MUST include the current root CA certificate in the response. The EST server MUST include any additional certificates the client would need to build a chain from an EST CA-issued certificate to the current EST CA TA. For example, if the EST CA is a subordinate CA, then all the appropriate subordinate CA certificates necessary to build a chain to the root EST CA are included in the response.

[dmjones]

I had mistakenly assumed the /cacerts operation was just for receiving the certificates relating to issued certificates to EST clients. However, I now see from section 4.1.1...

The EST client uses the /cacerts response to establish an Explicit Trust Anchor database for subsequent TLS authentication of the EST server.

So, further work would be needed to support this functionality. We are not actively working on this protocol at the moment, so the best approach is to open a pull request which we can review and merge.

[achuchev]

@dmjones Thanks for the quick response!