[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Subject alternative name
> my certification autority produces certificates where the field
> X509v3 Subject Alternative Name:
> has value like: "email:name.surname@domain"
> where the string domain is in lower case letters.
There are several diffrent types of subjectAltNames (SAN). The email
is for just that, email.
Heimdal does not need a special SAN in the certificate for client,
but will use the pk-init SAN if its there.
> But the certificates for the client pkinit wants have a value like
> "principal@DOMAIN" where DOMAIN is in uppercase letters, and all
> the string is DER encoded?
Yes, and its a special structure defined in the pk-init RFC, example how
to generate the structure are in lib/hx509/data/openssl.cnf. A more
description can be found here: http://mailman.mit.edu/pipermail/
Its only the KDC that is required to have the special SAN.
> 1) Is it correct ?
> 2) Can i modify heimdal code to cancel DER deconding from
> certificates, so to read this field in plain text?
> 3) if it is possibible, what are the implications ?
The field is required by the standard, and can optionally be disabled
by all clients,
but its default turned on so follow the standard.
> 4) I proved to compile the last snapshots to prove the tool hxtool
> to read Subject Alternative Name field non supported by last
> version of openssl, but the make command gives me many
> compiling errors. Is there anyone can give me this tool compiled ?
I assume that it broke in vis.c/unvis.c and you used linux (next time
send at least the first error message so I can fix the problem).
You can find a snapshot that I test built on linux here: