Remove subject common name parsing

[hawkw]

Currently, rustls-webpki fails to parse common names names from certificates where the subject common name is not a UTF8String, or a SEQUENCE containing an empty SET. This is incorrect, as some spec-compliant encoders may emit PrintableString rather than UTF8String, and may represent an empty subject common name as an empty SEQUENCE, rather than a SEQUENCE of empty SET. This results in issues while iterating over the subject alternate names of such a certificate, as described in #167.

Rather than changing the common name parsing to support such cases, the simplest solution to these issues is to remove common name parsing entirely. As explained by @cpu in #167 (comment):

For the purpose of certificate validation we only rely on SANs. The common name handling code is only used for verifying name constraints, and for the name iteration code that you found the bug with. For the former, if we assume the webpki profile the subj. CN must be present as a SAN, so validating the SANs vs the constraints seems sufficient (?). For the latter, it seems potentially confusing to return a name from the CN that doesn't get used for validation (though again, the webpki profile would require that it matches a SAN value).

Therefore, this branch does the following:

• Introduce tests for iterating over the DNS names in certificates where the CN is a PrintableString (a53c3ee) and where the CN is an empty SEQUENCE (c075316),
• Remove the existing tests for name constraints involving CNs which are not also present in the SANs, since the webpki profile requires the CN to also be a SAN (7d31075)
• Remove the common name parsing from rustls-webpki entirely (ac1740c and 429a316)

Fixes #167

[codecov]

Codecov Report

Merging #169 (a863348) into main (932ad95) will increase coverage by 0.00%.
The diff coverage is 97.60%.

@@           Coverage Diff           @@
##             main     #169   +/-   ##
=======================================
  Coverage   96.70%   96.71%           
=======================================
  Files          15       16    +1     
  Lines        4549     4532   -17     
=======================================
- Hits         4399     4383   -16     
+ Misses        150      149    -1     

Files Changed	Coverage Δ
src/der.rs	99.57% <ø> (ø)
src/subject_name/verify.rs	96.41% <93.75%> (+0.07%)	⬆️
src/end_entity.rs	100.00% <100.00%> (ø)
src/test_utils.rs	100.00% <100.00%> (ø)
src/verify_cert.rs	97.86% <100.00%> (-0.28%)	⬇️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

📢 Have feedback on the report? Share it here.

[cpu]

Here's some initial feedback. Thanks again for running with this 🎉 It will be really nice to put another nail in the subject common name coffin.

[djc]

Some thoughts on how to make the commit history a bit cleaner...

[djc]

Yup, this is great! I'd probably have kept the extraction/move of test utils in a separate commit, but that doesn't matter as much.

BTW, the content of the changes looks great, some nice simplification here.

[hawkw]

I'd probably have kept the extraction/move of test utils in a separate commit, but that doesn't matter as much.

Ah, yeah, probably should have pulled that out, my bad! Oh well --- not sure if it can be easily changed now.

Also, I had to force-push again after noticing a clippy lint on an earlier commit, so if you don't mind, it looks like CI will need to be re-approved.

[cpu]

Nice work!

[cpu]

I'm going to leave this unmerged overnight to give ctz a chance to do a review in case he's interested. If it isn't merged or reviewed by the time I log back on east-coast morning time tomorrow. I'll go ahead and merge.

[hawkw]

@cpu Sounds good to me! We would love to be able to get a release with this fixed, of course. But, since it looks you all are in the middle of getting v0.102.0 ready , we can definitely take a Git dependency in the meantime.

Thanks so much for all your guidance on figuring out the issue and how to fix it, I really appreciate it!

[ctz]

Looks great, thanks!

[djc]

@hawkw if you want to do a backport to 0.101.x we'd be happy to review and merge that, but other than that, taking on a rustls alpha release might make sense? Will require some other changes though (but would be great to have early feedback on those anyway). Backport probably won't be completely trivial, this code changed a bunch since 0.101.

[cpu]

I'm working on a 0.101.x release branch, I can take a look at folding this in.

[cpu]

I'm working on a 0.101.x release branch, I can take a look at folding this in.

It wasn't too bad to backport 👍 #170

[hawkw]

I'm working on a 0.101.x release branch, I can take a look at folding this in.

It wasn't too bad to backport 👍 #170

Thank you, that's wonderful! I would've been fine with a Git dep on the alpha, so thank you for going out of your way to do that!