get rfc822Name/email from certificate's SAN?

[ian-p-cooke]

I don't see a way to get an email address out of a certificate's subject_alternate_name. Is that something that webpki could support? I think this is related to #64.

I have client certificates from which I want to get the email after verification is successful. Today I'm using openssl like this but I'm trying to avoid that dependency.

[briansmith]

There are two features here that I see:

1. How can I validate that a certificate is valid for a given email address given up front?
2. How can i iterate through the email addresses for which a certificate is valid?

I would expect that if one is doing S/MIME or similar then the first kind of API would be needed. I suspect that if somebody is implementing e.g. TLS client authentication then they might have a system that doesn't allow the first kind of API to be used and so the second kind of API is needed.

Here's what I think would be required for this to be merged:

1. Implement the first kind of API, where the email address(es) for which the certificate must be valid is/are passed as inputs, similar to the existing API for DNS name validation.
2. Implement add a method to collect the DNS names from a certificate #65/Get DNS Names from a certificate #79.
3. Generalize add a method to collect the DNS names from a certificate #65/Get DNS Names from a certificate #79 to the email address case.

With good tests at each stage.