Bug #652
closedMulti-value extensions are not always correctly created
Description
Subject Alternative Names (subjectAltName) is always a multi-value extension, but not created as such, if only one entry for the extension exists.
The low-level problem with this is to "know" if an extension is multi-value beforehand and correctly creating it as such even with only one value.
A hacky solution is to add the request's subject common name as a DNS-based entry, technically enforcing subjectAltName to be created as multi-value, but that does not work for every extension, so a better solution needs to be found here.
Updated by Felix Tiede over 5 years ago
The current solution is now more flexible and uses the extension's nid to determine necessary behavior.
This still poses the issue that it is not generally known whether or not an extension requires encoding as collection or not, so it's possible, an API addendum to X509Extension is required to expose this new feature properly. This is, however, not exactly in the scope of this bug.
Updated by Felix Tiede over 5 years ago
- % Done changed from 70 to 80
With f814b0b69a589952abc6ed1219816e5976529bb5 class X509Extension has learned to adhere to what was loaded from OpenSSL backend.
Updated by Felix Tiede over 5 years ago
- Status changed from In Progress to Closed
- % Done changed from 80 to 100
Applied in changeset libkca_ossl|e6f0305e2beaf21119beec240b5dd4a60ed569dd.