pub fn validate_pop_linking(
auth: &AuthResult,
csr_subject: &str,
) -> Result<(), String>Expand description
Validate that the mTLS client certificate identity matches the CSR subject.
RFC 7030 §3.5 (Proof-of-Possession): for /simplereenroll, the TLS
client certificate subject MUST match the CSR subject to prove the
client possesses the private key corresponding to the certificate
being renewed.
Identity matching follows RFC 6125:
- Section 6.4.4: if the client certificate has SANs, the identity is matched against SANs exclusively (CN is ignored).
- Section 6.4.3: wildcard matching rules apply to dNSName SANs.
- Section 6.4.1: comparison is case-insensitive for DNS names.
For subject DN comparison (when SANs are absent), the DNs are canonicalized (trimmed, lowercased) before comparison.
Returns Ok(()) if subjects match, Err with a description if not.