Reintroduce support for SubjectAlternativeName::dir_name

[mqqz]

Background

SubjectAlternativeName::dir_name has been deprecated since v0.10.48 by this commit to patch an arbitrary read file vulnerability.

Fixed injection vulnerabilities where OpenSSL's configuration mini-language could be used via x509::extension::SubjectAlternativeName and x509::extension::ExtendedKeyUsage. The mini-language can read arbitrary files amongst other things.
As part of fixing this SubjectAlternativeName::dir_name and SubjectAlternativeName::other_name are deprecated and their implementations always panic!. If you have a use case for these, please file an issue.

Use Case

... and unfortunately, I find myself in a place where I need to use dir_name. Namely, I need to generate CSRs that match a government spec which requires a SubjectAlternativeName of type DirectoryName (see section 2.2.2 if you care).

Fix

Support for other_name has been since reintroduced with issue #1911 and PR #1915 (by adding new other_name2), so we could do something similar to make dir_name compatible with the new internals i.e.

• Add SubjectAlternativeName::dir_name2(X509Name) in openssl/src/x509/extension.rs
  • Internally constructs a GENERAL_NAME with type GEN_DIRNAME via GeneralName::new_dir_name()

Hopefully, by using a pre-constructed X509Name argument, no config language and no arbitrary file reads.

Optionally, we could add support for GENERAL_NAME_set1_X509_NAME for OpenSSL 3.4+.

---

I will open a PR soon that implements this fix, or at minimum provides a working proof-of-concept to guide the proper implementation.