fix(webauthn): validate rp.id as a registrable domain suffix (fix #187)

[AlfioEmanueleFresta]

Closes #187. Stacked on #188.

What

Replaces the strict-equality check between the JSON request's rp.id and the origin's effective domain with the spec-correct "registrable domain suffix of or equal to" relation from HTML §6.5 (referenced by WebAuthn L3 §5.1.3 step 7 and §5.1.7 step 9).

Net effect: rp.id = "example.org" now works against an origin of https://login.example.org, while rp.id = "co.uk" against https://example.co.uk is still correctly rejected because co.uk is a public suffix.

PSL strategy

Per the design discussion in #173 (libwebauthn should not bundle and manage its own PSL):

• Adds a PublicSuffixList trait with sync registrable_domain / public_suffix methods.
• Provides a DatFilePublicSuffixList impl that reads a Public Suffix List .dat file at construction time. from_system_file() reads the standard /usr/share/publicsuffix/public_suffix_list.dat, kept current by the system package manager.
• No PSL data is bundled in the libwebauthn crate.
• publicsuffix = "1.5". Same crate as Implement #160 Related Origins support (WebAuthn L3 § 5.11) #173, just used offline.

Plumbing into the parsing API

WebAuthnIDL::from_json and FromIdlModel::from_idl_model now take an additional psl: &dyn PublicSuffixList parameter. This is the simplest shape we discussed - explicit, no hidden state on RequestOrigin. Yes, it's another breaking signature change on top of #188; the 0.4.0 release is already breaking, so we eat the cost once.

Origin parsing (Origin::from_str, RequestOrigin::try_from) stays purely syntactic. PSL is only consulted at validation time.

Commits

1. Add PublicSuffixList trait and DatFilePublicSuffixList impl.
2. Use PublicSuffixList for the registrable-suffix check in from_idl_model.

Tests

• Unit tests on the suffix-check helper using a small MockPublicSuffixList (recognises com, co.uk, org, net).
• Unit tests on the mock itself.
• 2 new positive integration tests on from_json for both MakeCredentialRequest and GetAssertionRequest: rp.id-as-parent-registrable-suffix accepted, rp.id-as-eTLD rejected.

Test plan

• cargo build --workspace --all-targets --all-features
• cargo fmt --all -- --check
• cargo clippy --workspace --all-targets --all-features -- -D warnings
• cargo test --workspace (151 tests)
• cargo publish --dry-run -p libwebauthn

[msirringhaus]

LGTM overall!
We might want to add a note to the README that the publicsuffix-package is needed on the system during runtime?

[AlfioEmanueleFresta]

Thanks @msirringhaus! Updated README.

I also opened #210 because it seems that Fedora comes with the PSL in DAFSA file format (binary) by default, not plaintext. Debian should be fine as is. Adding an extra parser shouldn't be much work.