Crate pkix_aia_http

Expand description

§pkix-aia-http

Reference synchronous HTTP fetcher for pkix-aia’s AiaFetcher trait.

AIA (Authority Information Access, RFC 5280 §4.2.2.1) is the extension that carries caIssuers URIs pointing at the certificate’s issuer. Chain-build code can follow these URIs to fetch missing intermediates when the caller-supplied chain is incomplete. This crate plugs an HTTP transport into the AiaFetcher trait so the chain-build flow in pkix-chain can resolve caIssuers URIs whose scheme is http:// or https://.

§Quick start

use pkix_aia::AiaFetcher;
use pkix_aia_http::HttpFetcher;

let fetcher = HttpFetcher::new();
let der_bytes = fetcher.fetch("http://ca.example/intermediate.crt")?;
println!("fetched {} bytes", der_bytes.len());

§Design parallel: `pkix-revocation-http`

This crate intentionally mirrors pkix-revocation-http’s UreqFetcher shape: the same ureq dependency, the same response-size cap pattern, the same HTTPS-via-rustls feature configuration, the same “construct once, fetch many times” idiom. Callers running both crates in the same process can configure a custom ureq::Agent once and pass it to both fetchers via the with_agent builders, sharing connection pools.

The split into a separate crate per use case (pkix-revocation-http for CRL / OCSP, pkix-aia-http for AIA) follows the workspace’s one-callback-per-crate convention. The revocation and AIA seams in pkix-chain are independent: a caller can use AIA without revocation, revocation without AIA, or both. Each adapter crate is independently optional.

§What is fetched

HttpFetcher::fetch issues a synchronous HTTP GET against the supplied uri. The response body is returned verbatim as Vec<u8>; parsing the bytes as a DER X.509 certificate is the caller’s responsibility (typically delegated to pkix-path-builder or pkix-chain).

Non-HTTP URI schemes (e.g. ldap://, ftp://) return AiaError::UriUnsupported immediately, before any network I/O.

§Limits

Body size cap — responses larger than DEFAULT_MAX_RESPONSE_SIZE (1 MiB) are rejected with AiaError::ResponseTooLarge. Override via HttpFetcher::with_max_response_size. Real-world intermediate CA certs are typically well under 4 KiB; 1 MiB is a generous fail-closed default for an untrusted endpoint.
Timeout — ureq’s built-in agent timeouts apply. Construct a custom ureq::Agent with explicit timeouts and pass via HttpFetcher::with_agent if you need a specific bound.
No retry, no backoff, no caching — these are caller-side concerns. Wrap HttpFetcher with a caching layer (pkix-aia’s rustdoc has a CachingFetcher worked example) or retry adapter as needed.
HTTPS via rustls — workspace pin ureq = { features = ["rustls"] }. Consumers with custom TLS requirements (PSK, client auth at the AIA endpoint, exotic trust roots) should construct their own ureq::Agent and inject via HttpFetcher::with_agent.

§# Limitations

Synchronous only. An async parallel (mirroring pkix-revocation-http’s AsyncHttpCrlFetcher / AsyncHttpOcspFetcher) is filed as PKIX-zkjb.5.1, deferred until consumer demand surfaces.
No LDAP transport. RFC 5280 §4.2.2.1 permits any URI scheme in AIA accessLocation GeneralNames; in practice HTTP and HTTPS dominate. An ldap:// fetcher could ship as a sibling pkix-aia-ldap crate if demand surfaces.
No HTTP/2 connection pooling tuning beyond ureq::Agent’s defaults. Sharing an agent across many fetches (the default when you construct one HttpFetcher and keep it) reuses connections; per-request tuning is not exposed.

Tracked as PKIX-zkjb.5 in the project beads.

Structs§

HttpFetcher: HTTP transport backed by ureq.

Constants§

DEFAULT_MAX_RESPONSE_SIZE: Default cap on a single response body’s size, in bytes.
DEFAULT_TIMEOUT: Default per-request timeout.