Get DNS Names from a certificate

[bryanburgers]

It looks like this discussion was started in #64 but the use case went a different direction.

I need a way to get the DNS names from a certificate. The use case is this:

I'm using TLS over a custom protocol (not HTTPS, H2, etc.). I have a bunch of devices in the field (think IoT devices).

Using a shared (self-signed, at this point) CA, I want to be able to generate a client certificate and give it to a specific client. So for example, the CN and first SAN DNSName could be aea9705e-ff4b-4ed5-b407-437161421222 (or I could store this in whatever field is appropriate). The client would use this certificate when connecting to the server.

On the server, I don't necessarily have a complete list of clients (or if I do, it would be a large list). Instead, I want to be able to validate that my trusted CA signed the client certificate (already happens with rustls::AllowAnyAuthenticatedClient. Once I know that the certificate is valid (because it was signed by my specific CA), I want to be able to get the client ID out of the certificate, so I know which client this is.

Currently, neither of verify_is_valid_for_dns_name or verify_is_valid_for_at_least_one_dns_name because I don't know the name in advance; I'd like to discover the name.

Is there an API that can be developed that can support this? It looks like #65 started down this direction but appears to have stalled and is currently active, so I guess this is just an encouragement issue.

[simao]

I actually have the exact same use case, also IoT devices. Would be good to have more information about the certificate that gets validated.