Allow to serialize extension values as DER bytes strings

[felixfontein]

This is another try to implement #5002 (Support for getting ASN.1 value for parsed extensions).

It uses the existing backend function _create_x509_extension() to convert a extension created for this extension value to an OpenSSL extension, and then uses the same code as in

cryptography/src/cryptography/hazmat/backends/openssl/decode_asn1.py

Lines 239 to 242 in 70ccc25

	data = self._backend._lib.X509_EXTENSION_get_data(ext)
	self._backend.openssl_assert(data != self._backend._ffi.NULL)
	der = self._backend._ffi.buffer(data.data, data.length)[:]
	unrecognized = x509.UnrecognizedExtension(oid, der)

to extract the extension's value. As a handler map it uses the union of all handler maps in encode_asn1.py (I checked that the same OID in different mappings are mapped to the same function, in case someone wonders).

If the general approach looks good, I can add documentation and tests.

[reaperhulk]

We're going to convert X509 encoding to Rust next so I'd prefer to tackle this after we do that conversion. With the rust code we can just call asn1::write_single to serialize to DER so implementing this would be very simple.

[felixfontein]

@reaperhulk @alex I've reworked this PR to use the Rust code to serialize the extension values (and falls back to Python+OpenSSL for the ones not yet supported by the Rust code). Does the approach look sensible / acceptable? (I've added in the comments what needs to be updated once all extensions are serialized by Rust code.)

[felixfontein]

I've rebased and added a last test to reach 100% coverage after #6439 was merged. This is now ready for review.

[reaperhulk]

This PR took advantage of a window where we had exposed public methods for extension encoding. Those are now gone as we completed our x509 conversion. However, we can add methods back, we should just scope them to doing exactly what this method requires. It seems like what you really want is a single rust method encode_extension that takes an ExtensionType and returns the encoded bytes without regard to whether they're a CSR, cert, CRL, CRL entry, or OCSP extension?

I also think the name here should probably be public_bytes (which matches our DER serialization on Name as well).

[felixfontein]

@reaperhulk thanks for the feedback! I've renamed it to public_bytes as you suggested, and added a rust function x509::common::encode_extension_value (its code inspired by encode_extensions above it), and it seems to work fine. This is the first Rust code I've written in some years now, so hopefully it is not too horrible :)

The failing CI check seems to be unrelated to this PR (or there is something very strange going on I don't understand...).

[reaperhulk]

also have a changelog conflict

[felixfontein]

Rebased on top of #6571.

[felixfontein]

Rebased after #6571 was merged, and CI is green on the first try 🎉

[reaperhulk]

approving even though our serialization for KU needs to properly account for unused bits because this code will improve testing for the fix.

[felixfontein]

@reaperhulk @alex thanks a lot for reviewing and merging!