Address further IP address support feedback

Cargo.toml

@@ -33,9 +33,11 @@ include = [
     "src/der.rs",
     "src/end_entity.rs",
     "src/error.rs",
-    "src/name.rs",
-    "src/name/dns_name.rs",
-    "src/name/ip_address.rs",
+    "src/subject_name/dns_name.rs",
+    "src/subject_name/ip_address.rs",
+    "src/subject_name/mod.rs",
+    "src/subject_name/name.rs",
+    "src/subject_name/verify.rs",
     "src/name/verify.rs",
     "src/name/name.rs",
     "src/signed_data.rs",

src/end_entity.rs

@@ -13,7 +13,7 @@
 // OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 use crate::{
-    cert, name, signed_data, verify_cert, DnsNameRef, Error, SignatureAlgorithm, SubjectNameRef,
+    cert, signed_data, subject_name, verify_cert, Error, SignatureAlgorithm, SubjectNameRef,
     TLSClientTrustAnchors, TLSServerTrustAnchors, Time,
 };
 use core::convert::TryFrom;
@@ -25,8 +25,6 @@ use core::convert::TryFrom;
 ///
 /// * `EndEntityCert.verify_is_valid_tls_server_cert`: Verify that the server's
 ///   certificate is currently valid *for use by a TLS server*.
-/// * `EndEntityCert.verify_is_valid_for_dns_name`: Verify that the server's
-///   certificate is valid for the host that is being connected to.
 /// * `EndEntityCert.verify_is_valid_for_subject_name`: Verify that the server's
 ///   certificate is valid for the host or IP address that is being connected to.
 ///
@@ -38,11 +36,6 @@ use core::convert::TryFrom;
 ///
 /// * `EndEntityCert.verify_is_valid_tls_client_cert`: Verify that the client's
 ///   certificate is currently valid *for use by a TLS client*.
-/// * `EndEntityCert.verify_is_valid_for_dns_name` or
-///   `EndEntityCert.verify_is_valid_for_at_least_one_dns_name`: Verify that the
-///   client's certificate is valid for the identity or identities used to
-///   identify the client. (Currently client authentication only works when the
-///   client is identified by one or more DNS hostnames.)
 /// * `EndEntityCert.verify_signature`: Verify that the client's signature in
 ///   its `CertificateVerify` message is valid using the public key from the
 ///   client's certificate.
@@ -146,17 +139,12 @@ impl<'a> EndEntityCert<'a> {
         )
     }
 
-    /// Verifies that the certificate is valid for the given DNS host name.
-    pub fn verify_is_valid_for_dns_name(&self, dns_name: DnsNameRef) -> Result<(), Error> {
-        name::verify_cert_dns_name(self, dns_name)
-    }
-
     /// Verifies that the certificate is valid for the given Subject Name.
     pub fn verify_is_valid_for_subject_name(
         &self,
         subject_name: SubjectNameRef,
     ) -> Result<(), Error> {
-        name::verify_cert_subject_name(self, subject_name)
+        subject_name::verify_cert_subject_name(self, subject_name)
     }
 
     /// Verifies the signature `signature` of message `msg` using the

src/lib.rs

@@ -38,8 +38,8 @@ mod calendar;
 mod cert;
 mod end_entity;
 mod error;
-mod name;
 mod signed_data;
+mod subject_name;
 mod time;
 mod trust_anchor;
 pub mod trust_anchor_util;
@@ -49,26 +49,26 @@ mod verify_cert;
 pub use {
     end_entity::EndEntityCert,
     error::Error,
-    name::{
-        ip_address::AddrParseError, ip_address::IpAddrRef, DnsNameRef, InvalidDnsNameError,
-        InvalidSubjectNameError, SubjectNameRef,
-    },
     signed_data::{
         SignatureAlgorithm, ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256,
         ECDSA_P384_SHA384, ED25519,
     },
+    subject_name::{
+        AddrParseError, DnsNameRef, InvalidDnsNameError, InvalidSubjectNameError, IpAddrRef,
+        SubjectNameRef,
+    },
     time::Time,
     trust_anchor::{TLSClientTrustAnchors, TLSServerTrustAnchors, TrustAnchor},
 };
 
 #[cfg(feature = "alloc")]
 pub use {
-    name::{ip_address::IpAddr, DnsName},
     signed_data::{
         RSA_PKCS1_2048_8192_SHA256, RSA_PKCS1_2048_8192_SHA384, RSA_PKCS1_2048_8192_SHA512,
         RSA_PKCS1_3072_8192_SHA384, RSA_PSS_2048_8192_SHA256_LEGACY_KEY,
         RSA_PSS_2048_8192_SHA384_LEGACY_KEY, RSA_PSS_2048_8192_SHA512_LEGACY_KEY,
     },
+    subject_name::{DnsName, IpAddr},
 };
 
 #[cfg(feature = "alloc")]

src/name.rs → src/subject_name/mod.rs

@@ -19,11 +19,14 @@ pub use dns_name::{DnsNameRef, InvalidDnsNameError};
 #[cfg(feature = "alloc")]
 pub use dns_name::DnsName;
 
-#[allow(clippy::module_inception)]
 mod name;
 pub use name::{InvalidSubjectNameError, SubjectNameRef};
 
-pub mod ip_address;
+mod ip_address;
+pub use ip_address::{AddrParseError, IpAddrRef};
+
+#[cfg(feature = "alloc")]
+pub use ip_address::IpAddr;
 
 mod verify;
-pub(super) use verify::{check_name_constraints, verify_cert_dns_name, verify_cert_subject_name};
+pub(super) use verify::{check_name_constraints, verify_cert_subject_name};

src/verify_cert.rs

@@ -14,7 +14,7 @@
 
 use crate::{
     cert::{self, Cert, EndEntityOrCa},
-    der, name, signed_data, time, Error, SignatureAlgorithm, TrustAnchor,
+    der, signed_data, subject_name, time, Error, SignatureAlgorithm, TrustAnchor,
 };
 
 pub fn build_chain(
@@ -62,7 +62,7 @@ pub fn build_chain(
         let name_constraints = trust_anchor.name_constraints.map(untrusted::Input::from);
 
         untrusted::read_all_optional(name_constraints, Error::BadDER, |value| {
-            name::check_name_constraints(value, cert)
+            subject_name::check_name_constraints(value, cert)
         })?;
 
         let trust_anchor_spki = untrusted::Input::from(trust_anchor.spki);
@@ -106,7 +106,7 @@ pub fn build_chain(
         }
 
         untrusted::read_all_optional(potential_issuer.name_constraints, Error::BadDER, |value| {
-            name::check_name_constraints(value, cert)
+            subject_name::check_name_constraints(value, cert)
         })?;
 
         let next_sub_ca_count = match used_as_ca {

tests/integration.rs

@@ -74,9 +74,7 @@ pub fn cloudflare_dns() {
     );
 
     let check_name = |name: &str| {
-        let dns_name_ref = webpki::DnsNameRef::try_from_ascii_str(name).unwrap();
-        assert_eq!(Ok(()), cert.verify_is_valid_for_dns_name(dns_name_ref));
-        let subject_name_ref = webpki::SubjectNameRef::from(dns_name_ref);
+        let subject_name_ref = webpki::SubjectNameRef::try_from_ascii_str(name).unwrap();
         assert_eq!(
             Ok(()),
             cert.verify_is_valid_for_subject_name(subject_name_ref)