Add lint to check for email addresses in Subject but not in SAN (prohibited by RFC 5280 section 4.1.2.6)

[defacto64]

Reflecting on a recent incident, I realized that ZLint doesn't detect violations of RFC 5280 section 4.1.2.6 regarding email addresses:

Conforming implementations generating new certificates with electronic mail addresses MUST use the rfc822Name in the subject alternative name extension (Section 4.2.1.6) to describe such identities.

Therefore, if a certificate contains an email address in the Subject field (which is deprecated, but not strictly prohibited), the same email address MUST also be present in the SAN extension.

One might think this issue only affects S/MIME certificates, but that's not the case: there are in fact quite a few TLS Server certificates out there that contain email addresses -- even trusted and recently issued ones.

It's one thing the presence of an email inside the SAN (this is forbidden by the CABF BRs for TLS Server certificates, and there's already a lint that checks for this); it's another thing the presence of an email outside the SAN that is not also in the SAN: this is forbidden, for any type of certificate, by RFC 5280 (actually since RFC 2459), and that's what the lint proposed here is about.

[defacto64]

It looks like I got an unexpected HTTP error in the integration test that should be fixable by redoing it, but I don't think I can do that myself...

[christopher-henderson]

Thank you! And yes, the integration test had a bit of flakiness there - thank you for your patience.

[christopher-henderson]

I was a bit skeptical of this, but it is not unprecedented to have a requirement that is (relatively) violated by the a chunk of the corpus.