Expanded AIA Support in wolfSSL

    • We recently added new functionality that improves how wolfSSL handles Authority Information Access (AIA) certificate data.

    AIA is an X.509 certificate extension that tells clients where to find related validation resources, typically OCSP responder URLs (for revocation status checks) and CA Issuers URLs (for downloading issuer certificates), defined in RFC 4325. In practice, this helps certificate path building and status verification work more reliably in distributed PKI environments.

    Getting started with wolfSSL? Download the latest libraries here and start exploring.

    The first update extends the certificate API with wolfSSL_X509_get1_ca_issuers(), allowing applications to retrieve CA Issuers URLs directly from certificate AIA data.

    The second update expands AIA parsing from a single-entry model to a multi-entry model, supporting up to 8 total AIA URI entries per certificate. We also added wolfSSL_X509_get_aia_overflow() so applications can detect when a certificate contains more AIA entries than the current cap.

    Together, these changes make AIA handling in wolfSSL more complete and more resilient for real-world certificates that include multiple responder and issuer endpoints.

    /* Example: read OCSP + CA Issuers URIs from certificate AIA */
WOLFSSL_X509* cert = wolfSSL_X509_load_certificate_file(
    "cert.pem", WOLFSSL_FILETYPE_PEM);

WOLF_STACK_OF(WOLFSSL_STRING)* ocsp = wolfSSL_X509_get1_ocsp(cert);
WOLF_STACK_OF(WOLFSSL_STRING)* caIssuers = wolfSSL_X509_get1_ca_issuers(cert);

int ocspCount = wolfSSL_sk_WOLFSSL_STRING_num(ocsp);
int caCount   = wolfSSL_sk_WOLFSSL_STRING_num(caIssuers);

for (int i = 0; i < ocspCount; i++) {
    const char* url = wolfSSL_sk_WOLFSSL_STRING_value(ocsp, i);
    /* use OCSP URL */
}

for (int i = 0; i < caCount; i++) {
    const char* url = wolfSSL_sk_WOLFSSL_STRING_value(caIssuers, i);
    /* use CA Issuers URL */
}

/* Detect if parsed AIA entries exceeded internal storage limit */
if (wolfSSL_X509_get_aia_overflow(cert)) {
    /* handle overflow case */
}

wolfSSL_X509_email_free(ocsp);
wolfSSL_X509_email_free(caIssuers);
wolfSSL_X509_free(cert);

    Java/JNI Support for AIA (wolfssljni)

    The Java wrapper now exposes matching AIA functionality through the WolfSSLCertificate class, including:

    getOcspUris()
getCaIssuerUris()
getAiaOverflow()

    Under the hood, JNI bridges these to the native certificate APIs and converts returned URI stacks into String[], so Java applications can consume multi-entry AIA data directly. The update also adds certificate-based tests for both normal multi-URI parsing and overflow behavior (capped list with overflow flag set), keeping Java behavior aligned with the native implementation.

    WolfSSLCertificate cert =
    new WolfSSLCertificate("examples/certs/aia/multi-aia-cert.pem",
                           WolfSSL.SSL_FILETYPE_PEM);

String[] ocspUris = cert.getOcspUris();
String[] caIssuerUris = cert.getCaIssuerUris();
int overflow = cert.getAiaOverflow(); // 0 = no overflow, 1 = overflow

cert.free();

    Download

    Please reach out to facts@wolfssl.com for information regarding using the wolfSSL AIA capabilities in your project.

    Questions?

    If you have questions about any of the above, please contact us at facts@wolfssl.com or +1 425 245 8247.

    Download wolfSSL Now