[OpenCA-Devel] SubjectAltNames ignored from incoming PKCS#10 requests

Fri, 04 Mar 2005 01:27:42 -0800 

Hi,

consider an incoming PKCS#10 request (doesn't matter if via web frontend
or via SCEP).
This request can contain one or more subjectAltName attributes.

OpenCA currently silently drops the SubjectAltNames from the
request. Depending on CA policy it may be desired to retain
the SubjectAltName(s) supplied in the request and show it later
in viewCSR and editCSR.

In crypto_get_csr_subject_alt_name() the system automatically determines
a *new* email SubjectAltName from the email address, but there is no
such code for DNS and IP SANs.
There is currently no code for retaining the old SubjectAltName.

I just realized I need this stuff, and I'd like to implement it
ASAP. If you think this is useful, I will also commit it to 0.9.2.

I see two ways to implement it:

1. after receiving the PKCS#10 (this is possible via web frontend or
   via SCEP) read the SAN values from the request, construct a
   corresponding request HEADER and store it along with the request
   -> advantage: no need to change anything else
   -> disadvantage: ugly, needs to be done on every PKCS#10 input interface
2. modify all functions that parse the request to handle SANs in the
   request itself properly, this affects viewCSR, editCSR and probably
   also issueCertificate

1. is easier, 2. is cleaner but there are more things that can go
wrong in implementation.

Help, please... :-)

Martin




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel

Reply via email to