Question: CaCerts operation expects only one self-signed TA

[achuchev]

Hello,

Looking at

estclient/utils.go

Line 115 in 41a90a2

return nil, errors.New("too many self-signed certificates found in response")

seems like it is assumed that CaCerts operation must return only one self-signed certificate. However, RFC 7030 in 4.1.3. CA Certificates Response section (see below) does not limit the returned root certs to one. I have a case where I use HTTPS certificate for my EST server issued by one CA, but another CA will be signing the leaf cert generated by the EST client.

Do I understand the logic correctly here?

A successful response MUST be a certs-only CMC Simple PKI Response,
as defined in [RFC5272], containing the certificates described in the
following paragraph. The HTTP content-type of
"application/pkcs7-mime" is used. The Simple PKI Response is sent
with a Content-Transfer-Encoding of "base64" [RFC2045].

The EST server MUST include the current root CA certificate in the
response. The EST server MUST include any additional certificates
the client would need to build a chain from an EST CA-issued
certificate to the current EST CA TA. For example, if the EST CA is
a subordinate CA, then all the appropriate subordinate CA
certificates necessary to build a chain to the root EST CA are
included in the response.

[dmjones]

I had mistakenly assumed the /cacerts operation was just for receiving the certificates relating to issued certificates to EST clients. However, I now see from section 4.1.1...

The EST client uses the /cacerts response to establish an Explicit Trust Anchor database for subsequent TLS authentication of the EST server.

So, further work would be needed to support this functionality. We are not actively working on this protocol at the moment, so the best approach is to open a pull request which we can review and merge.

[achuchev]

@dmjones Thanks for the quick response!