pki: honour enforce_hostnames=false for DNS SAN underscore characters

[SAY-5]

Description

The PKI API docs state that enforce_hostnames=false "allows non-hostnames in DNS SANs". In practice, GenerateCreationBundle ran every alt-name through idna (StrictDomainName=true) and then through wildHostnameRegex unconditionally, so a SAN containing an underscore was either:

• v1.20.3 and earlier: silently dropped from the issued certificate with no warning, or
• main: rejected with subject alternate name <name> is not a valid DNS name and cannot be included as a SAN.

Neither matches the documented behaviour.

Fix

When the role has enforce_hostnames=false, accept the SAN verbatim (or the idna-converted form that doesn't match the hostname regex) instead of failing. enforce_hostnames=true, the default, is unchanged.

Fixes

Fixes #31925

Checklist

• go build ./builtin/logical/pki/... green.
• gofmt clean.

Signed-off-by: SAY-5 SAY-5@users.noreply.github.com

[vercel]

@SAY-5 is attempting to deploy a commit to the HashiCorp Team on Vercel.

A member of the Team first needs to authorize it.

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[heatherezell]

Please sign the CLA.