add a callback to retrieve missing chain certificates
Often web sites provide incomplete certificate chains meaning that applications have to fill the gaps, or face a certificate validation error. In practice applications can retrieve such incomplete chains by using the authority information access extension. However, GnuTLS at this point does not provide any callbacks to make it easy for applications to plug such missing CAs in verification functions such as gnutls_certificate_verify_peers3() and gnutls_certificate_verify_peers().
We should provide a callback which is used once a missing issuer is detected to ask the application to download the one in the AIA extension. (requested by Michael Catanzaro)
Example web site:
https://incomplete-chain.badssl.com/Example AIA extension:
Authority Information Access (not critical):
Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
Access Location URI: http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
Access Location URI: http://ocsp.comodoca.com