update-ocsp: refactor validation, check cert life
The functional highlights here are:
- We now ask openssl for the text output in the same command that
stores the binary response to disk.
- Command executions split stderr and stdout for easier parsing.
- OpenSSL stderr is parsed for an explicit "Response verify OK"
rather than relying solely on an exit status of zero.
- OCSP Windows are checked from the initial text output, rather
than as a second command reading from the stored binary response.
- The signing cert's validity is checked, causing failure if:
- "Not Before" > 60s in the future
- "Not After" < 1h in the future
- "Not After" earlier than any OCSP Window end time (which is usually 12h in the future)
certs_fetch_ocsp() is now an overlong function that's not ideally
factored, but we'll deal with this in the rewrite as a daemon in
ticket T93927, as many details about the handling of date windows
will change in that model anyways.