Fix error-handling for X.509 extensions #916
Description
d2i_X509 in OpenSSL and BoringSSL currently only parse the core Certificate ASN.1 structure. They leave syntax errors in extensions themselves to be noticed when you parse them. (In the general case, this is unavoidable since we don't know about all extensions.)
Alas, the OpenSSL API is atrocious. I have attempted to document the behavior in https://boringssl-review.googlesource.com/c/boringssl/+/43804/. Roughly we need to fix up all the X509_get_ext_d2i calls to check for errors as described in that CL. From there, we need to report it through the X509Certificate API. If the accessor can throw CertificateParsingException, that is the simplest. Some accessors, notably getBasicConstraints, cannot throw. Those we should probably check earlier. (I.e. prevent creating OpenSSLX509Certificates with invalid basicConstraints at all.)
(Separately, I'm considering making BoringSSL report a lot of these parse errors sooner, but we'll figure out what we want for Conscrypt when we get to it.)