Pass NameIterator to verification functions

src/end_entity.rs

@@ -18,7 +18,7 @@ use pki_types::{CertificateDer, SignatureVerificationAlgorithm, TrustAnchor, Uni
 
 use crate::crl::RevocationOptions;
 use crate::error::Error;
-use crate::subject_name::SubjectNameRef;
+use crate::subject_name::{NameIterator, SubjectNameRef};
 use crate::verify_cert::{self, KeyUsage};
 use crate::{cert, signed_data};
 
@@ -110,8 +110,14 @@ impl<'a> EndEntityCert<'a> {
         subject_name: SubjectNameRef,
     ) -> Result<(), Error> {
         match subject_name {
-            SubjectNameRef::DnsName(dns_name) => dns_name.verify_cert_dns_name(self),
-            SubjectNameRef::IpAddress(ip_address) => ip_address.verify_cert_ip_addresses(self),
+            SubjectNameRef::DnsName(dns_name) => dns_name.verify_dns_names(NameIterator::new(
+                Some(self.inner.subject),
+                self.inner.subject_alt_name,
+            )),
+            // IP addresses are not compared against the subject field;
+            // only against Subject Alternative Names.
+            SubjectNameRef::IpAddress(ip_address) => ip_address
+                .verify_ip_address_names(NameIterator::new(None, self.inner.subject_alt_name)),
         }
     }
 

src/subject_name/dns_name.rs

@@ -85,9 +85,9 @@ impl<'a> DnsNameRef<'a> {
         Self::try_from_ascii(dns_name.as_bytes())
     }
 
-    pub(crate) fn verify_cert_dns_name(&self, cert: &crate::EndEntityCert) -> Result<(), Error> {
+    pub(crate) fn verify_dns_names(&self, mut names: NameIterator<'_>) -> Result<(), Error> {
         let dns_name = untrusted::Input::from(self.as_str().as_bytes());
-        NameIterator::new(Some(cert.subject), cert.subject_alt_name)
+        names
             .find_map(|result| {
                 let name = match result {
                     Ok(name) => name,

src/subject_name/ip_address.rs

@@ -52,38 +52,30 @@ pub enum IpAddrRef<'a> {
 }
 
 impl<'a> IpAddrRef<'a> {
-    pub(crate) fn verify_cert_ip_addresses(
-        &self,
-        cert: &crate::EndEntityCert,
-    ) -> Result<(), Error> {
+    pub(crate) fn verify_ip_address_names(&self, mut names: NameIterator<'_>) -> Result<(), Error> {
         let ip_address = match self {
             IpAddrRef::V4(_, ref ip_address_octets) => untrusted::Input::from(ip_address_octets),
             IpAddrRef::V6(_, ref ip_address_octets) => untrusted::Input::from(ip_address_octets),
         };
 
-        NameIterator::new(
-            // IP addresses are not compared against the subject field;
-            // only against Subject Alternative Names.
-            None,
-            cert.subject_alt_name,
-        )
-        .find_map(|result| {
-            let name = match result {
-                Ok(name) => name,
-                Err(err) => return Some(Err(err)),
-            };
-
-            let presented_id = match name {
-                GeneralName::IpAddress(presented) => presented,
-                _ => return None,
-            };
-
-            match presented_id_matches_reference_id(presented_id, ip_address) {
-                true => Some(Ok(())),
-                false => None,
-            }
-        })
-        .unwrap_or(Err(Error::CertNotValidForName))
+        names
+            .find_map(|result| {
+                let name = match result {
+                    Ok(name) => name,
+                    Err(err) => return Some(Err(err)),
+                };
+
+                let presented_id = match name {
+                    GeneralName::IpAddress(presented) => presented,
+                    _ => return None,
+                };
+
+                match presented_id_matches_reference_id(presented_id, ip_address) {
+                    true => Some(Ok(())),
+                    false => None,
+                }
+            })
+            .unwrap_or(Err(Error::CertNotValidForName))
     }
 }