Can't restrict subjectAltNames (SANs) emails in the PKI backend

I have the PKI backend enabled. I created this role:

{
  "allow_any_name": false,
  "allow_bare_domains": false,
  "allow_glob_domains": true,
  "allow_ip_sans": false,
  "allow_localhost": false,
  "allow_subdomains": false,
  "allow_token_displayname": false,
  "allowed_domains": [ "app*.cloud.*.example.com" ],
  "allowed_other_sans" : "email;UTF-8:*@example.com",  
  "enforce_hostnames": true,
  "ext_key_usage": [ "ServerAuth" ],
  "key_usage": [ "DigitalSignature", "KeyAgreement", "KeyEncipherment" ]
}

It has a funky glob syntax, but it works well using this certificate generation request:

{
    "ttl" : "2m",
    "common_name": "app.cloud.z.example.com",
    "alt_names":   "app5678.cloud.z.example.com, app9999.cloud.z.example.com"
}

But the request fails when I add an email as another altername name:

{
    "ttl" : "2m",
    "common_name": "app.cloud.z.example.com",
    "alt_names":   "app5678.cloud.z.example.com, app9999.cloud.z.example.com",
    "other_sans":   "email;UTF-8:requester-dude@example.com"
}

With the error : error marshaling other SANs: strconv.Atoi: parsing "email": invalid syntax. I think it’s looking for the RFC822 email OID but I don’t know what it is or how to write it in OID syntax.

How must I write the allowed_other_sans of the role or the other_sans of the request to accept only emails of the @example.com domain?

Email addresses are checked to verify that they belong to an allowed_domain. So you can add example.com to your allowed domains and toggle allow_bare_domains to on. Alternately you could figure out the OID for email addresses, but I’m not sure if doing it that way will work (haven’t tried it).

It seems that if we have CSR with email in SAN the PKI secret engine role must have allow_bare_domains enabled.

Is there a way to sign/issue certificates with email in SAN without allow_bare_domains enabled?