[feature] Certificate revocation checks to CLI

[yschimke]

We can't practically implement in OkHttp, but this is exactly the sort of thing we should flag in the CLI, since browsers will fail these requests.

https://github.com/square/okhttp/issues/2348

[yschimke]

$ cft --output=tmp2 --host=www.google.com
$ openssl x509 -text -in tmp2/5ed6032ce36e0d50b54209a866d56ef8b3a1ea733039c3d016db034f565c1250.pem

        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                86:74:39:D9:85:27:15:59:CD:49:A4:76:27:60:A1:48:EB:41:FD:A2
            X509v3 Authority Key Identifier:
                keyid:98:D1:F8:6E:10:EB:CF:9B:EC:60:9F:18:90:1B:A0:EB:7D:09:FD:2B

            Authority Information Access:
                OCSP - URI:http://ocsp.pki.goog/gts1o1core
                CA Issuers - URI:http://pki.goog/gsr2/GTS1O1.crt

            X509v3 Subject Alternative Name:
                DNS:www.google.com
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.2
                Policy: 1.3.6.1.4.1.11129.2.5.3

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.pki.goog/GTS1O1core.crl

            1.3.6.1.4.1.11129.2.4.2: <- CT extension

[yschimke]

OCSP spec - https://tools.ietf.org/html/rfc6960#page-5 Netty example - https://github.com/netty/netty/blob/bd8cea644a07890f5bada18ddff0a849b58cd861/example/src/main/java/io/netty/example/ocsp/OcspClientExample.java

[yschimke]

Playing around with this here https://github.com/cashapp/certifikit/pull/56