Apply additional X509 validation checks on certificates sourced from trust store

[skmcgrail]

Description of changes:

Improves validation of certificates by also applying additional checks for certificates retrieved from the trust store. This aligns AWS-LC with OpenSSL 1.1.1 and later behavior.

Testing:

Add a root certificate that does not have the expected basicConstraints extension with the cA bit set to true. This certificate would be rejected by OpenSSL, but is currently allowed to be trusted by AWS-LC due to it being in the trust store.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 79.05%. Comparing base (50e6d59) to head (3642a97).
Report is 3 commits behind head on x509.

Additional details and impacted files

@@            Coverage Diff             @@
##             x509    #2230      +/-   ##
==========================================
- Coverage   79.05%   79.05%   -0.01%     
==========================================
  Files         612      612              
  Lines      106476   106515      +39     
  Branches    15051    15053       +2     
==========================================
+ Hits        84177    84207      +30     
- Misses      21646    21655       +9     
  Partials      653      653              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.