Test chain via issuer address when present

[bedinotti]

This change is a little more complicated than I thought, mostly to retain backwards compatibility with validation back to v1.1 certificates. It also exposed that I was handling the verify data wrong in v2.0a+ certificates.

So! This PR does a few things:

• Introduces a publicKey property on Verify objects. This will be the key itself, rather than a URL to go fetch the key from
• In v2.0a and v2.0 certificates, we read creator and publicKey fields as a key, rather than as a URL. This went uncaught because technically ecdsa-koblitz-pubkey:mtr98kany9G1XYNU74pRnfBQmaCg2FZLmc parses as a valid URL. Who knew?
• Updated the tests to reflect that additional property and to make sure we're parsing that section correctly.
• In CertificateValidationRequest, we check the issuer's chain before the recipient's. This was refactored to be a bit more readable.

[bedinotti]

Oh! A consequence of this is that we're not checking the issuer's address in pre-v2.0a certificates. This should be fine, since for all of those certificates, you should only have been able to issue to the chain you're on. In other words, we only introduced the ability to issue a testnet cert to a main net address while developing 2.0.