stir_shaken: CRL fixes and a new CLI command

* Fixed a bug in crypto_show_cli_store that was causing asterisk
to crash if there were certificate revocation lists in the
verification certificate store.  We're also now prefixing
certificates with "Cert:" and CRLs with "CRL:" to distinguish them
in the list.

* Added 'untrusted_cert_file' and 'untrusted_cert_path' options
to both verification and profile objects.  If you have CRLs that
are signed by a different CA than the incoming X5U certificate
(indirect CRL), you'll need to provide the certificate of the
CRL signer here.  Thse will show up as 'Untrusted" when showing
the verification or profile objects.

* Fixed loading of crl_path.  The OpenSSL API we were using to
load CRLs won't actually load them from a directory, only a file.
We now scan the directory ourselves and load the files one-by-one.

* Fixed the verification flags being set on the certificate store.
  - Removed the CRL_CHECK_ALL flag as this was causing all certificates
    to be checked for CRL extensions and failing to verify the cert if
    there was none.  This basically caused all certs to fail when a CRL
    was provided via crl_file or crl_path.
  - Added the EXTENDED_CRL_SUPPORT flag as it is required to handle
    indirect CRLs.

* Added a new CLI command...
`stir_shaken verify certificate_file <certificate_file> [ <profile> ]`
which will assist troubleshooting certificate problems by allowing
the user to manually verify a certificate file against either the
global verification certificate store or the store for a specific
profile.

* Updated the XML documentation and the sample config file.

Resolves: #809

res/res_stir_shaken/crypto_utils.h

@@ -82,6 +82,15 @@ ASN1_OCTET_STRING *crypto_get_cert_extension_data(X509 *cert, int nid,
  */
 X509 *crypto_load_cert_from_file(const char *filename);
 
+/*!
+ * \brief Load an X509 CRL from a PEM file
+ *
+ * \param filename PEM file
+ *
+ * \returns X509_CRL* or NULL on error
+ */
+X509_CRL *crypto_load_crl_from_file(const char *filename);
+
 /*!
  * \brief Load a private key from memory
  *
@@ -168,7 +177,13 @@ EVP_PKEY *crypto_load_privkey_from_file(const char *filename);
  * \brief ao2 object wrapper for X509_STORE that provides locking and refcounting
  */
 struct crypto_cert_store {
-	X509_STORE *store;
+	X509_STORE *certs;
+	X509_STORE *crls;
+	/*!< The verification context needs a stack of CRLs, not the store */
+	STACK_OF(X509_CRL) *crl_stack;
+	X509_STORE *untrusted;
+	/*!< The verification context needs a stack of untrusted certs, not the store */
+	STACK_OF(X509) *untrusted_stack;
 };
 
 /*!
@@ -211,6 +226,36 @@ int crypto_show_cli_store(struct crypto_cert_store *store, int fd);
 int crypto_load_cert_store(struct crypto_cert_store *store, const char *file,
 	const char *path);
 
+/*!
+ * \brief Load an X509 Store with certificate revocation lists
+ *
+ * \param store X509 Store to load
+ * \param file CRL file to load or NULL
+ * \param path Path to directory with hashed CRLs to load or NULL
+ *
+ * \note At least 1 file or path must be specified.
+ *
+ * \retval <= 0 failure
+ * \retval 0 success
+ */
+int crypto_load_crl_store(struct crypto_cert_store *store, const char *file,
+	const char *path);
+
+/*!
+ * \brief Load an X509 Store with untrusted certificates
+ *
+ * \param store X509 Store to load
+ * \param file Certificate file to load or NULL
+ * \param path Path to directory with hashed certs to load or NULL
+ *
+ * \note At least 1 file or path must be specified.
+ *
+ * \retval <= 0 failure
+ * \retval 0 success
+ */
+int crypto_load_untrusted_cert_store(struct crypto_cert_store *store, const char *file,
+	const char *path);
+
 /*!
  * \brief Locks an X509 Store
  *