Re: Subject alternative name

[Love Hörnquist Åstrand <lha@kth.se>]

> my certification autority produces certificates where the field
>
> X509v3 Subject Alternative Name:
>
> has value like: "email:name.surname@domain"
>
> where the string domain is in lower case letters.

There are several diffrent types of subjectAltNames (SAN). The email  
type
is for just that, email.

Heimdal does not need a special SAN in the certificate for client,
but will use the pk-init SAN if its there.

> But the certificates for the client pkinit wants have a value like  
> "principal@DOMAIN" where DOMAIN is in uppercase letters, and all  
> the string is DER encoded?

Yes, and its a special structure defined in the pk-init RFC, example how
to generate the structure are in lib/hx509/data/openssl.cnf. A more  
verbose
description can be found here: http://mailman.mit.edu/pipermail/ 
krbdev/2006-November/005185.html

Its only the KDC that is required to have the special SAN.
>
> 1) Is it correct ?
> 2) Can i modify heimdal code to cancel DER deconding from  
> certificates, so to read this field in plain text?
> 3) if it is possibible, what are the implications ?

The field is required by the standard, and can optionally be disabled  
by all clients,
but its default turned on so follow the standard.

> 4) I proved to compile the last snapshots to prove the tool hxtool  
> to read Subject Alternative Name field non supported by last  
> version of openssl, but the  make command  gives me  many  
> compiling  errors.  Is there anyone can give me this tool compiled ?

I assume that it broke in vis.c/unvis.c and you used linux (next time  
please
send at least the first error message so I can fix the problem).

You can find a snapshot that I test built on linux here:
ftp://ftp.pdc.kth.se/pub/heimdal/src/snapshots/heimdal-alberto.tar.gz

Love