webpki does not validate certificates with name constraints

[olix0r]

We (Linkerd) have recently noticed a bug (linkerd/linkerd2#9299) that prevents webpki from validating certificates that include name constraints. We can probably produce a smaller reproduction outside of Linkerd, but our testing indicates that this applies to any certificate issued by a CA that uses name constraints. https://github.com/briansmith/webpki/issues/20 suggests that this issue has existed for quite a while.

Last year, the folks at Deno ran into this issue (denoland/deno#10312) and @bnoordhuis kindly put together a PR (briansmith/webpki#226). We have not yet confirmed that this PR fixes the bugs that we encountered, but it would be great to find a path forward for name constraint support.

[hawkw]

It looks like simply opening @bnoordhuis' change against this fork is blocked on an upstream change to ring (briansmith/webpki#226 (comment)) which looks like it may not be going to happen (briansmith/ring#1265).

It's possible there's an alternative solution that doesn't require ring changes?

[bnoordhuis]

I've opened #7. It copies a few bits from ring. Not great but the least worst solution I could come up with.

[hawkw]

Thanks!