Add valid_uri_names() method to Cert

Returns an iterator over URI names from the subject alternative names
extension, following the same pattern as valid_dns_names().

refs #9

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: 2 people

src/cert.rs

@@ -173,6 +173,23 @@ impl<'a> Cert<'a> {
         })
     }
 
+    /// Returns a list of valid URI names provided in the subject alternative names extension
+    ///
+    /// This function returns URIs as strings without performing validation beyond checking that
+    /// they are valid UTF-8.
+    pub fn valid_uri_names(&self) -> impl Iterator<Item = &str> {
+        NameIterator::new(self.subject_alt_name).filter_map(|result| {
+            let presented_id = match result.ok()? {
+                GeneralName::UniformResourceIdentifier(presented) => presented,
+                _ => return None,
+            };
+
+            // if the URI can be converted to a valid UTF-8 string, return it; otherwise,
+            // keep going.
+            core::str::from_utf8(presented_id.as_slice_less_safe()).ok()
+        })
+    }
+
     /// Raw certificate serial number.
     ///
     /// This is in big-endian byte order, in twos-complement encoding.

tests/integration.rs

@@ -345,6 +345,41 @@ fn no_subject_alt_names() {
     expect_cert_dns_names(include_bytes!("misc/no_subject_alternative_name.der"), [])
 }
 
+#[test]
+fn list_uri_names() {
+    expect_cert_uri_names(
+        include_bytes!("misc/uri_san_ee.der"),
+        [
+            "https://example.com",
+            "https://www.example.com/path",
+            "spiffe://example.org/service",
+        ],
+    );
+}
+
+#[test]
+fn no_uri_names() {
+    expect_cert_uri_names(include_bytes!("misc/no_subject_alternative_name.der"), [])
+}
+
+#[test]
+fn mixed_san_types() {
+    // The uri_san_ee.der certificate has both DNS and URI SANs
+    let der = CertificateDer::from(&include_bytes!("misc/uri_san_ee.der")[..]);
+    let cert = webpki::EndEntityCert::try_from(&der)
+        .expect("should parse end entity certificate correctly");
+
+    // Verify it has the DNS name
+    assert!(cert.valid_dns_names().eq(["example.com"]));
+
+    // Verify it has the URI names
+    assert!(cert.valid_uri_names().eq([
+        "https://example.com",
+        "https://www.example.com/path",
+        "spiffe://example.org/service",
+    ]));
+}
+
 fn expect_cert_dns_names<'name>(
     cert_der: &[u8],
     expected_names: impl IntoIterator<Item = &'name str>,
@@ -356,6 +391,17 @@ fn expect_cert_dns_names<'name>(
     assert!(cert.valid_dns_names().eq(expected_names))
 }
 
+fn expect_cert_uri_names<'name>(
+    cert_der: &[u8],
+    expected_uris: impl IntoIterator<Item = &'name str>,
+) {
+    let der = CertificateDer::from(cert_der);
+    let cert = webpki::EndEntityCert::try_from(&der)
+        .expect("should parse end entity certificate correctly");
+
+    assert!(cert.valid_uri_names().eq(expected_uris))
+}
+
 #[cfg(feature = "alloc")]
 #[test]
 fn cert_time_validity() {