tests: add name constraints integration test.

[cpu]

This is a follow up to https://github.com/rustls/webpki-roots/pull/39 that adds a basic integration test for trust anchors in webpki-roots with name constraints.

The general idea is that for each name constraints extension we:

• parse the name constraints with x509-parser, verifying that the encoding is well formed and contains something approximating what we expect (e.g. at least one permitted subtree, no excluded subtrees).
• convert the name constraints into the form rcgen expects for certificate generation parameters.
• issue our own trust anchor CA certificate with the name constraints from the webpki trust anchor.
• for each permitted subtree base dns name in the name constraints we use our generated CA to issue end entity certificates that will be permitted, and rejected by the name constraints.
• we then translate our issued CA back to a webpki trust anchor, and use webpki to verify each of the permitted and rejected end entity certificates, asserting the result matches what we expect for the name constraint.

Checking out v0.25.1 and backporting this test identifies a problem with the KamuSM root name constraint, finding no subtrees after parsing:

running 1 test
test name_constraints ... FAILED

failures:

---- name_constraints stdout ----
thread 'name_constraints' panicked at 'empty permitted subtrees in constraints', tests/verify.rs:142:5

With the fix from https://github.com/rustls/webpki-roots/pull/39 the test passes.

[cpu]

cpu force-pushed the cpu-name-constraint-integration-tests branch from d817342 to 99c5e77

Sorry for the force pushes. Just tidying up small things (stale comments, bad var names, etc) I noticed reviewing this after opening the PR. All done now.

[cpu]

Going to merge this w/ one review since it's only test code. Thanks!