Implement directoryName constraint validation

[sfackler]

A few notes:

• This intentionally does not fully implement the requirements from RFC 5280, following BoringSSL's lead. In particular, "conforming implementations MUST use the LDAP StringPrep profile" which none of OpenSSL, BoringSSL, or this PR do. Instead, we implement a loose "ascii flavor" of the StringPrep profile with whitespace folding and case-insensitive comparison. We could add a full StringPrep implementation, but it would add a bunch of extra complexity and some very large Unicode tables. Given how obscure DN constraints are, I feel like BoringSSL/OpenSSL's approach makes more sense. I also assume that their decision has probably forced the hand of every issuer to not rely on full unicode normalization.
• There's a bit of awkwardness in subject_name/mod.rs due to the differing encodings of the DNs - it is directly represented as an RDNSequence in the certificate Subject, but is encoded in EXPLICIT form elsewhere. This currently results in separate functions to handle those two validation cases. If you wanted, the cleanest way to combine those back to one is probably to strip the EXPLICIT wrapper in GeneralName::from_der.
• The implementation of rdn_eq is an O(n^2) nested loop around the two sets of AVAs. This mirrors the overall approach taken in BoringSSL, though the one here is implemented with fixed size buffers and a bitmask rather than vectors to keep everything no-std.

Depends on rustls/rcgen#429, so I have a Cargo patch for rcgen until a new release gets cut.

Closes #19

[codecov]

Codecov Report

❌ Patch coverage is 97.44136% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 97.05%. Comparing base (0fe5e6c) to head (8bb3a0d).

Files with missing lines	Patch %	Lines
src/subject_name/directory_name.rs	98.15%	7 Missing ⚠️
src/der.rs	0.00%	3 Missing ⚠️
src/subject_name/mod.rs	97.70%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #489      +/-   ##
==========================================
+ Coverage   97.01%   97.05%   +0.04%     
==========================================
  Files          20       21       +1     
  Lines        3950     4379     +429     
==========================================
+ Hits         3832     4250     +418     
- Misses        118      129      +11     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[djc]

What's your use case for this?

[sfackler]

I am unfortunately trying to deal with a (privately issued) cert issued by an intermediate with DN constraints.