my certification autority produces certificates where the field
X509v3 Subject Alternative Name:
has value like: "email:[EMAIL PROTECTED]"
where the string domain is in lower case letters.
There are several diffrent types of subjectAltNames (SAN). The email
type
is for just that, email.
Heimdal does not need a special SAN in the certificate for client,
but will use the pk-init SAN if its there.
But the certificates for the client pkinit wants have a value like
"[EMAIL PROTECTED]" where DOMAIN is in uppercase letters, and all
the string is DER encoded?
Yes, and its a special structure defined in the pk-init RFC, example how
to generate the structure are in lib/hx509/data/openssl.cnf. A more
verbose
description can be found here: http://mailman.mit.edu/pipermail/
krbdev/2006-November/005185.html
Its only the KDC that is required to have the special SAN.
1) Is it correct ?
2) Can i modify heimdal code to cancel DER deconding from
certificates, so to read this field in plain text?
3) if it is possibible, what are the implications ?
The field is required by the standard, and can optionally be disabled
by all clients,
but its default turned on so follow the standard.
4) I proved to compile the last snapshots to prove the tool hxtool
to read Subject Alternative Name field non supported by last
version of openssl, but the make command gives me many
compiling errors. Is there anyone can give me this tool compiled ?
I assume that it broke in vis.c/unvis.c and you used linux (next time
please
send at least the first error message so I can fix the problem).
You can find a snapshot that I test built on linux here:
ftp://ftp.pdc.kth.se/pub/heimdal/src/snapshots/heimdal-alberto.tar.gz
Love
