proposal: crypto/tls: Support for optional SPIFFEID in tls.Config

[jsnctl]

Proposal Details

The SPIFFE specification denotes that X.509 SVIDs should contain a single URI SAN entry containing a SPIFFEID for certificate verification purposes.

At the moment, tls.Config does not have a means to configure the inspection of the URI SAN of a given certificate. A common workaround is to use ServerName with an expected value of a DNS SAN, but it would be useful to be able to optionally verify the SPIFFEID of a returned certificate directly with the URI entry.

This could be achieved by adding a new field (something like ExpectedSPIFFEID or similar) to tls.Config, which would be used by the client if provided in the config, and making the requisite handling changes in the verification process.

[seankhliao]

Given the existence of https://pkg.go.dev/github.com/spiffe/go-spiffe/v2@v2.5.0/spiffetls
I think this is out of scope for crypto/tls, which targets general Web usage.

[jsnctl]

Thanks for the context @seankhliao. As an alternative, would a more generic URI SAN field (i.e. not SPIFFE specific) in the Config be more palatable?

[seankhliao]

I think not, it's outside the target use case of web, and it can be done by combining InsecureSkipVerify with VerifyPeerCertoficate