rework dns_names helper, remove alloc req.

[cpu]

Description

This branch reworks the EndEntityCert's dns_names helper. Principally it:

• Simplifies the unit testing, and cleans up some misc nits.
• Reworks dns_names and the corresponding subject_name::list_cert_dns_names fns to be infallible, this better matches how we're ignoring invalid DNS names when validating a subject name since ignore invalid value validating dns name list #69.
• Removes the alloc requirement for the dns_names fn.
• Reworks the name ref types to use as_str instead of a From impl
• Removes the GeneralDnsNameRef type (with the potential to restore as future work c.f. Restore GeneralDnsNameRef, use in GeneralName::DnsName. #183)
• Moves the subject_name::list_cert_dns_names free-standing fn to be associated with Cert and named valid_dns_names.

Resolves #46, replaces #50

[cpu]

@djc Interested in your thoughts on this branch. Mostly wanted to clear the path for #159 but then got a little bit carried away.

[codecov]

Codecov Report

Merging #178 (64fb1b7) into main (8d6a733) will increase coverage by 0.21%.
Report is 23 commits behind head on main.
The diff coverage is 92.30%.

@@            Coverage Diff             @@
##             main     #178      +/-   ##
==========================================
+ Coverage   96.31%   96.53%   +0.21%     
==========================================
  Files          17       19       +2     
  Lines        4510     4496      -14     
==========================================
- Hits         4344     4340       -4     
+ Misses        166      156      -10     

Files Changed	Coverage Δ
src/signed_data.rs	100.00% <ø> (ø)
src/subject_name/dns_name.rs	88.66% <85.71%> (+1.79%)	⬆️
src/cert.rs	97.58% <100.00%> (+0.10%)	⬆️
src/end_entity.rs	100.00% <100.00%> (ø)
src/subject_name/verify.rs	91.89% <100.00%> (-0.21%)	⬇️

... and 8 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[djc]

In general I feel that the GeneralDnsNameRef and WildcardDnsNameRef names are not that obvious and fairly verbose, so that is one reason that keeping them private made sense to me. Especially the notion of "General", I suppose? What does that mean?

[cpu]

ci / Measure coverage (pull_request) Failing after 28s

This is time-rs/time#618

ci / Build+test (--all-features, nightly, ubuntu-20.04) (pull_request) Failing after 45s

I think this is a nightly bug? It seems like it doesn't like the . in the ASN.1 language specifier on the backtick code fence:

webpki/src/signed_data.rs

Lines 89 to 94 in adc4944

	/// ```ASN.1
	/// Certificate (SEQUENCE) {
	/// tbsCertificate TBSCertificate,
	/// signatureAlgorithm AlgorithmIdentifier,
	/// signatureValue BIT STRING
	/// }

Switching to asn1 fixes the compile error, but that's not the name Linguist/GitHub use for ASN.1 syntax highlighting.

[ctz]

I think this is a nightly bug?

I think we're just missing an end to the code block?

(the upstream issue that has changed the parser is rust-lang/rust#110800 in case we do need to report the regression though.)

[cpu]

I think we're just missing an end to the code block?

Ah, good catch. I fixed that in this branch, but it's still generating a warning.

I was also able to reproduce with a minimal example for an upstream issue:

/// This is a test:
/// ```ASN.1
/// foo
/// ```
fn main() {
    println!("Hello, world!");
}

(the upstream issue that has changed the parser is rust-lang/rust#110800 in case we do need to report the regression though.)

Thanks! I'll mention that in the issue.

[djc]

Feedback in cpu#1. I think these changes together mean that we can revert/simplify a bunch of the additions from #42, which would be nice?

[cpu]

I think these changes together mean that we can revert/simplify a bunch of the additions from #42, which would be nice?

@djc Thanks, the majority of these changes seem good to me, but I think we might want to consider leaving the GeneralDnsNameRef type.

I thought about removing it when I reworked this branch to iterate w/ &str but after revisiting the context from #42 while working on this branch I remembered that the purpose of this type was to enable something like briansmith/webpki#66 It seemed to me like that's still worthwhile to pursue, but since it's a little bit more involved (and crate-internal) I didn't want to do it for the 0.102 release (or at least, not until I've finished more of the Rustls release blocker work).

WDYT?

[djc]

That's fair. So what do you want to do with cpu#1? Merge it on top of this without making further changes? (I didn't finish reviewing all commits here after I got myself distracted from removing the use of .into().)

[cpu]

That's fair. So what do you want to do with cpu#1? Merge it on top of this without making further changes?

That sounds good to me. I can merge it in and then back out 27a1234.

[djc]

Hmm, yeah, I think that'll leave us with a bunch of warnings -- I'm not sure putting allow(dead_code) on a bunch of stuff here is a great alternative.

Maybe better to remove this code and create a follow-up issue to bring back the ideas from briansmith/webpki#66? Probably something I could pick up soon.

[cpu]

I'm not sure putting allow(dead_code) on a bunch of stuff here is a great alternative.

Good point.

Maybe better to remove this code and create a follow-up issue to bring back the ideas from briansmith/webpki#66? Probably something I could pick up soon.

That sounds good to me. 👍

[cpu]

Maybe better to remove this code and create a follow-up issue

#183

[cpu]

@ctz Could you give this branch an independent review since both myself and Djc have contributed code to it? 🙇

[djc]

As a further change, how do we feel about attaching list_cert_dns_names() to EndEntityCert, or, even better, Cert, as a method? Feels right to me. Maybe change the name to valid_dns_names()?

[cpu]

As a further change, how do we feel about attaching list_cert_dns_names() to EndEntityCert, or, even better, Cert, as a method? Feels right to me. Maybe change the name to valid_dns_names()?

Good idea 👍 I put it on Cert as valid_dns_names.