Remove webpki types from the public API

[briansmith]

There will be several backward-compatibility-breaking changes to the webpki API over the next year and beyond. Since the goal for the Rustls API is to be pretty stable and rarely have breaking changes, we need to insulate Rustls from those changes so that it can upgrade its version of webpki to the latest (and only supported) version without changing its public API.

In the case of webpki::Error in Rustls's Error type, I think we should change it to Box<impl Debug> or similar.

[briansmith]

@djc Besides webpki::Error, are there any remaining webpki types in the public API?

[djc]

• RootCertStore::add_server_trust_anchors()
• Methods and From/Into impls for OwnedTrustAnchor
• ClientHello::server_name
• The DnsName variant in ServerName and <TryFrom<&str> for ServerName>::Error
• CertifiedKey::cross_check_end_entity_cert()
• ClientCertVerifier method arguments

[briansmith]

• RootCertStore::add_server_trust_anchors()
• Methods and From/Into impls for OwnedTrustAnchor

These could be controlled with a webpki-<version> feature. Then we'd add new webpki-<version+1> feature for each webpki version.

ClientHello::server_name

It seems like this is a problem only because Rustls exposes a lot of internals to the outside that ideally shouldn't be exposed. I think we can/should hide these by default, and maybe provide an "unstable-api" feature that exposes them.

The DnsName variant in ServerName and <TryFrom<&str> for ServerName>::Error

I think the goal here is to make Rustls public API operate directly on &str or &[u8] or so.

[djc]

I think the only open item here is impl From<webpki::Error> for WebPkiError, which is fixed in #792.

[djc]

This is done.