This patch extracts rfc822 names from a cert's distinguished name at the

time when the list of cert names is being built and builds a GeneralName
out of it, just as if the rfc822 name had come from a subject alt name
extension. This way, no special handling is needed of either directory
names or rfc822 names in the name constraints code.  The special "phase 1"
loop in cert_CompareNameWithConstraints disappears compmletely.  And all
the cases in the (former phase 2) loop can now simply assert that the
name's type matches the constraint's type exactly.

This patch also factors out the code that creates new CERTGeneralNames and
that copies a single CERTGeneralName into new separate functions.  This
eliminates a lot of duplicated code whose correctness required lengthy
inspection.  Now these primitive operations are centralized.