Close #90, #361: Name Constraints (RFC5280 section 4.2.1.10)

Conversion of name constraints from certificate to Template
(Advanced Tab) and using them from there was working since long.

Now there is an additional input line, like (and next to)
SubjectAlternativeName with live validation and edit button
with guided input.

The conversion from cert to template now puts the extension
into the correct LineEdit and not on the Advanced Tab anymore.

However, XCA does NOT follow the constraints, yet.
It is still possible to issue certificates with arbitrary
names, independent of any "Name Constraints" in the CA.

This is what issue #239 asks for.

Author: chris2511

lib/func_base.cpp

@@ -244,6 +244,7 @@ D[NID_pkcs9_unstructuredName] = QObject::tr("Unstructured name");
 D[NID_pkcs9_challengePassword] = QObject::tr("Challenge password");
 
 D[NID_basic_constraints] = QObject::tr("Basic Constraints");
+D[NID_name_constraints] = QObject::tr("Name Constraints");
 D[NID_subject_alt_name] = QObject::tr("Subject alternative name");
 D[NID_issuer_alt_name] = QObject::tr("issuer alternative name");
 D[NID_subject_key_identifier] = QObject::tr("Subject key identifier");

lib/pki_temp.cpp

@@ -58,6 +58,7 @@ namespace db {
 };
 
 const QList<QString> pki_temp::tmpl_keys = {
+	"nameCons",
 	"subAltName",
 	"issAltName",
 	"crlDist",
@@ -223,6 +224,7 @@ extList pki_temp::fromCert(pki_x509super *cert_or_req)
 			xname.addEntryByNid(nid, n.getEntry(i));
 	}
 
+	fromExtList(&el, NID_name_constraints, "nameCons");
 	fromExtList(&el, NID_subject_alt_name, "subAltName");
 	fromExtList(&el, NID_issuer_alt_name, "issAltName");
 	fromExtList(&el, NID_crl_distribution_points, "crlDist");

lib/x509v3ext.cpp

@@ -924,7 +924,7 @@ static bool nameConstraint(STACK_OF(GENERAL_SUBTREE) *trees,
 	return true;
 }
 
-bool x509v3ext::parse_nameConstraints(QString *, QString *adv) const
+bool x509v3ext::parse_nameConstraints(QString *single, QString *adv) const
 {
 	bool retval = true;
 	QString sect, ret;
@@ -947,11 +947,14 @@ bool x509v3ext::parse_nameConstraints(QString *, QString *adv) const
 	if (ret.size() > 0)
 		permEx << ret;
 
-	if (adv && retval &&permEx.size() > 0) {
+	if (retval && permEx.size() > 0) {
 		ret = permEx.join(", ");
-		qDebug("%s %d '%s'\n", __func__, retval, CCHAR(ret));
-		*adv = QString("%1=%2\n").arg(tag).
-			arg(parse_critical() +ret) + *adv + sect;
+		qDebug() << retval << ret;
+		if (single)
+			*single = ret;
+		else if (adv)
+			*adv = QString("%1=%2\n").arg(tag).
+				arg(parse_critical() +ret) + *adv + sect;
 	}
 	NAME_CONSTRAINTS_free(cons);
 	return retval;