Pass Through Disable AIA Flag

docs/api/QUIC_CREDENTIAL_CONFIG.md

@@ -161,6 +161,10 @@ Obtain the peer certificate using a faster in-process API call. Only available o
 
 Enable CA certificate file provided in the `CaCertificateFile` member.
 
+`QUIC_CREDENTIAL_FLAG_DISABLE_AIA`
+
+The following flag can be set to explicitly disable AIA retrievals. Only valid on Windows.
+
 #### `CertificateHash`
 
 Must **only** use with `QUIC_CREDENTIAL_TYPE_CERTIFICATE_HASH` type.

src/inc/msquic.h

@@ -146,6 +146,7 @@ typedef enum QUIC_CREDENTIAL_FLAGS {
     QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY            = 0x00040000, // Windows only currently
     QUIC_CREDENTIAL_FLAG_INPROC_PEER_CERTIFICATE                = 0x00080000, // Schannel only
     QUIC_CREDENTIAL_FLAG_SET_CA_CERTIFICATE_FILE                = 0x00100000, // OpenSSL only currently
+    QUIC_CREDENTIAL_FLAG_DISABLE_AIA                            = 0x00200000, // Schannel only currently
 } QUIC_CREDENTIAL_FLAGS;
 
 DEFINE_ENUM_FLAG_OPERATORS(QUIC_CREDENTIAL_FLAGS)

src/platform/certificates_capi.c

@@ -90,6 +90,9 @@ CxPlatCertVerifyRawCertificate(
     if (CredFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY) {
         CertFlags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;
     }
+    if (CredFlags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA) {
+        CertFlags |= CERT_CHAIN_DISABLE_AIA;
+    }
 
     Result =
         CxPlatCertValidateChain(

src/platform/tls_openssl.c

@@ -981,7 +981,8 @@ CxPlatTlsSecConfigCreate(
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK ||
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE ||
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_CACHE_ONLY_URL_RETRIEVAL ||
-        CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY)) {
+        CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY ||
+        CredConfigFlags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA)) {
         return QUIC_STATUS_INVALID_PARAMETER;
     }
 
@@ -992,7 +993,8 @@ CxPlatTlsSecConfigCreate(
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK ||
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE ||
         CredConfigFlags & QUIC_CREDENTIAL_FLAG_CACHE_ONLY_URL_RETRIEVAL ||
-        CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY)) {
+        CredConfigFlags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY ||
+        CredConfigFlags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA)) {
         return QUIC_STATUS_INVALID_PARAMETER;
     }
 #endif

src/platform/tls_schannel.c

@@ -754,6 +754,9 @@ CxPlatTlsSetClientCertPolicy(
     if (SecConfig->Flags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY) {
         ClientCertPolicy.dwCertFlags |= CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY;
     }
+    if (SecConfig->Flags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA) {
+        ClientCertPolicy.dwCertFlags |= CERT_CHAIN_DISABLE_AIA;
+    }
 
     SecStatus =
         SetCredentialsAttributesW(
@@ -1110,6 +1113,9 @@ CxPlatTlsSecConfigCreate(
     if (CredConfig->Flags & QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY) {
         Credentials->dwFlags |= SCH_CRED_REVOCATION_CHECK_CACHE_ONLY;
     }
+    if (CredConfig->Flags & QUIC_CREDENTIAL_FLAG_DISABLE_AIA) {
+        Credentials->dwFlags |= CERT_CHAIN_DISABLE_AIA;
+    }
     if (IsClient) {
         Credentials->dwFlags |= SCH_CRED_NO_DEFAULT_CREDS;
         Credentials->pTlsParameters->grbitDisabledProtocols = (DWORD)~SP_PROT_TLS1_3_CLIENT;

src/platform/unittest/TlsTest.cpp

@@ -2222,6 +2222,7 @@ TEST_F(TlsTest, PlatformSpecificFlagsSchannel)
         QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_END_CERT, QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT,
         QUIC_CREDENTIAL_FLAG_IGNORE_NO_REVOCATION_CHECK, QUIC_CREDENTIAL_FLAG_IGNORE_REVOCATION_OFFLINE,
         QUIC_CREDENTIAL_FLAG_CACHE_ONLY_URL_RETRIEVAL, QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CACHE_ONLY,
+        QUIC_CREDENTIAL_FLAG_DISABLE_AIA,
 #ifndef __APPLE__
         QUIC_CREDENTIAL_FLAG_REVOCATION_CHECK_CHAIN,
 #endif