crl: retain issuing distribution point extension

[cpu]

Description

This branch implements the second requirement for resolving #121 - support for parsing and retaining the CRL issuing distribution point extension. This is similar, but not identical to the certificate CRL distribution points extension.

crl/cert: make reason codes more ergonomic.

This commit adds an iterator over all possible crl::RevocationReason values. This avoids needing to hard-code the variant values into a range, or remember to skip the unused values.

cert: lift DistributionPointName bits to x509.

Previously we implemented support for parsing the optional DistributionPointName from a certificate's CRL distribution points
extension with code/types in cert.rs.

While the top-level extension differs slightly for the CRL issuing distribution point extension, it shares the same encoding for the
distributionPoint field holding a DistributionPointName.

In anticipation of sharing this code between cert.rs and crl.rs this commit lifts the existing code from cert.rs into x509.rs where it can more easily be shared between the two, similar to other bits common to both certs and CRLs.

crl: retain CRL issuing distribution point ext.

This commit updates both the BorrowedCertRevocationList and OwnedCertRevocationList to retain the raw DER encoding of the CRL issuing distribution point extension, if present. The CertRevocationList trait is then updated with
a issuing_distribution_point fn that can return the raw DER for further processing when considering a CRL during CRL validation (not yet implemented).

This commit additionally adds crate-local functions and types for working with a parsed representation of the CRL issuing distribution point extension. This mostly involves recognizing the top level extension properties. We're able to share some code with the certificate CRL distribution point extension (notably for handling the distribution point names).

Having both the certificate CRL distribution points, and the CRL issuing distribution point will allow subsequent work to tighten up the CRL validation process by matching information between the two.

crls: test issuing distribution point ext.

This commit adds test coverage for the new parsing logic for CRL issuing distribution point extensions.

For the "happy" paths we use a small Python script that uses pyca cryptography to generate test CRLs with the required extensions.

For some invalid testcases we can't easily use pyca cryptography due to its (sensible) error checking. Instead, we use ascii2der, tweaking the ASCII representation of previously generated CRLs to produce the required invalid DER, converting back to DER with der2ascii. The associated .txt and .der files are checked in for convenience.

The new test case generation is done separately from tests/generate.py because these test files are used in unit tests (since the code under test is internal to the crate) as opposed to integration tests (like tests/generate.py creates).

The net result is full coverage for the new parsing code.

ci: include CRL issuing distrib. point test gen in CI

This commit extends the existing testgen.yml workflow to also ensure that running the CRL issuing distribution point testcase generation produces no diffs from what's checked-in.

[codecov]

Codecov Report

Merging #128 (d3b9e03) into main (92a91ac) will increase coverage by 0.31%.
The diff coverage is 94.73%.

@@            Coverage Diff             @@
##             main     #128      +/-   ##
==========================================
+ Coverage   95.04%   95.35%   +0.31%     
==========================================
  Files          15       15              
  Lines        3735     4007     +272     
==========================================
+ Hits         3550     3821     +271     
- Misses        185      186       +1     

Files Changed	Coverage Δ
src/error.rs	48.93% <37.50%> (-2.18%)	⬇️
src/crl.rs	99.66% <99.27%> (-0.34%)	⬇️
src/cert.rs	96.80% <100.00%> (+0.10%)	⬆️
src/x509.rs	98.11% <100.00%> (+0.55%)	⬆️

... and 1 file with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[cpu]

I think this is generally ready for review now.

codecov/patch Failing after 1s — 92.33% of diff hit (target 95.02%)

I see a couple low hanging test cases I missed, will push a revision.

[cpu]

I see a couple low hanging test cases I missed, will push a revision.

Done.

94.81% of diff hit (target 95.02%)

So close 😩 In crl.rs it's detecting a -0.34% change that seems to be from unreachable panic!'s in my unit test. I'm going to ignore that.

The other gap is in error.rs and comes from reordering the weights in rank to make room for two new error variants. I think it's fair to ignore that too? We will get some more coverage there via part 3 and emitting the new CRL errors during validation.

[cpu]

Thanks for the 🔍's