Increase test coverage of IP address support #14

This was currently broken, since one of the tests required RSA ( = alloc feature) and real time (= std feature). The latter is a mistake, cos tests should really be time-invariant.

Introduce `IpAddressRef`, `DnsNameOrIpRef` and the owned type `IpAddress`. Introduce a new public function `verify_is_valid_for_dns_name_or_ip` that validates a given host name or IP address against a certificate. IP addresses are only compared against Subject Alternative Names. It's possible to convert the already existing types `DnsNameRef` and `IpAddressRef` into a `DnsNameOrIpRef` for better ergonomics when calling to `verify_cert_dns_name_or_ip`. The behavior of `verify_cert_dns_name` has not been altered, and works in the same way as it has done until now, so that if `webpki` gets bumped as a dependency, it won't start accepting certificates that would have been rejected until now without notice. Neither `IpAddressRef`, `DnsNameOrIpRef` nor `IpAddress` can be instantiated directly. They must be instantiated through the `try_from_ascii` and `try_from_ascii_str` public functions. This ensures that instances of these types are correct by construction. IPv6 addresses are only validated and supported in their uncompressed form. Signed-off-by: Rafael Fernández López <ereslibre@ereslibre.es>

current_textual_octet is [u8; 3] but it was indexed by an unbounded count of octets if they matched 1..9.

rfc5952 says both are allowed.

Seems better to convert from ascii to radix-10 at the time that is known, rather than doing that validation twice (and skipping a digit as an error handling strategy).

This adds 100% line coverage to the IPv4 and IPv6 subject alternative names validation implementation.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Increase test coverage of IP address support #14

Increase test coverage of IP address support #14

Commits on Dec 11, 2022