Merge #6: Support AIA

24813e7 Set EKU on TLD CA (Jeremy Rand) ad9434a Set EKU on Domain CA (Jeremy Rand) b7fa7cf Support AIA (Jeremy Rand) Pull request description: Refs #3 Refs #5 Top commit has no ACKs. Tree-SHA512: adf9da8e0c39e4e43cd98edfdd9a68af155f36b29e67b150f17f14c45426b0ea7322d353e4c4c32f5ace1df6531b1d4e3b4fd3b3dc3cafdeb11600c9aba7a173
namecoin · Feb 17, 2021 · 57e499e · 57e499e
2 parents 88e8edd + 24813e7
commit 57e499e
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 4 deletions.
diff --git a/convert_from_tlsa.go b/convert_from_tlsa.go
@@ -32,7 +32,7 @@ import (
 func GetCertFromTLSA(domain string, tlsa *dns.TLSA, parentDERBytes []byte, parentPrivateKey interface{}) ([]byte, error) {
 	// CA not in user's trust store; public key; not hashed
 	if tlsa.Usage == 2 && tlsa.Selector == 1 && tlsa.MatchingType == 0 {
-		domain = strings.TrimSuffix(domain, " Domain CA")
+		domain = strings.TrimSuffix(domain, " Domain AIA Parent CA")
 
 		publicKeyBytes, err := hex.DecodeString(tlsa.Certificate)
 		if err != nil {

diff --git a/generate_domain_ca.go b/generate_domain_ca.go
@@ -23,8 +23,10 @@ package safetlsa
 
 import (
 	"crypto/rand"
+	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"encoding/hex"
 	"fmt"
 	"math/big"
 	"time"
@@ -70,10 +72,13 @@ func GenerateDomainCA(domain string, publicKeyBytes []byte, parentDERBytes []byt
 		return nil, fmt.Errorf("failed to generate serial number: %s", err)
 	}
 
+	aiaPubHash := sha256.Sum256(parentCert.RawSubjectPublicKeyInfo)
+	aiaPubHashStr := hex.EncodeToString(aiaPubHash[:])
+
 	template := x509.Certificate{
 		SerialNumber: serialNumber,
 		Subject: pkix.Name{
-			CommonName: domain + " Domain CA",
+			CommonName: domain + " Domain AIA Parent CA",
 			SerialNumber: "Namecoin TLS Certificate",
 		},
 		NotBefore: time.Now().Add(-1 * time.Hour),
@@ -82,11 +87,13 @@ func GenerateDomainCA(domain string, publicKeyBytes []byte, parentDERBytes []byt
 		IsCA: true,
 		//KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		KeyUsage: x509.KeyUsageCertSign,
-		//ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
 
 		PermittedDNSDomainsCritical: true,
 		PermittedDNSDomains:         []string{domain},
+
+		IssuingCertificateURL: []string{"http://aia.x--nmc.bit/aia?domain=.bit%20TLD%20CA&pubsha256=" + aiaPubHashStr},
 	}
 
 	//hosts := strings.Split(*host, ",")

diff --git a/generate_tld_ca.go b/generate_tld_ca.go
@@ -100,7 +100,7 @@ func GenerateTLDCA(domain string, parentDERBytes []byte, parentPrivateKey interf
 		IsCA: true,
 		//KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		KeyUsage: x509.KeyUsageCertSign,
-		//ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
 
 		PermittedDNSDomainsCritical: true,