Emit Certificate Revocation Lists signed by all valid CAs.
Apparently openssl (or at least how it is used in stunnel4) fails to
validate a certificate when CRL validation is enabled and the key which
signed the CRL differs from the key which signed the certificate.
Also, add Authority Key Identifier CRL extension, required to be standard-
compliant.
Also, fix revocation entry expiration: the RFC requires them to be kept
at least one renewal cycle after the certificate's expiration.
As a consequence of this whole change:
- the protocol for retrieving the curren CRL changes to return the
  concatenated list of CRLs, which breaks the CRL distribution (...but
  the distributed CRLs were invalid anyway)
- stop storing the CRL PEM in caucased's database so that it gets
  re-generated with fresh code. As caucased is not expected to be
  restarted very often, the extra CRL generation on every start should
  not make a difference.

So it can be reused elsewhere.

Also, some word-wrapping.

Makes the code easier to read.

Tests are supposed to help spot errors, and caucased access traces help
with this too.

So that stdout may be more reliably used for scripting.

Not all programs support having multiple CA certificates per file, so add
support for creating and maintaining certificate directories containing
a single certificate each.

Reference machine: Raspberry Pi 1 B+.
caucased can take around 40s to start (CA generation, ...).

So caucase.sh gets some regular exercise.

Avoid repeating function name in these.

Get an auto-issued user certificate and use it to exercise an authenticated
action.

Should have been part of:
  commit 17325dc0
  Author: Vincent Pelletier <plr.vincent@gmail.com>
  Date:   Sat Jul 14 18:40:41 2018 +0900

      all: Make caucased https certificate independent from CAS.

Also, remove CURL, PUT and PUTNoOut aliases. They are replaced with
private function with a naming consistent with the rest of this script.

Is no value is provided to a return statement, the status of the last
command ran is returned, making "$?" superfluous.

If there is no return statement, shell functions return the status of the
last command they ran. So "return $?" as last function statement is
superfluous.

Simplify code a bit.
Change directory when starting caucased, so all files are stored inside
test's temporary directory (and not just the database).
Tolerate caucased not immediately starting.
Fix CA presence tests (well this is embarrassing).
List test directory content when failing, as it will get deleted shortly
after.

In shell/caucase.sh line 1134:
    trap "kill \"$caucased_pid\"; wait; rm -rf \"$tmp_dir\"" EXIT
                 ^-----------^ SC2064: Use single quotes, otherwise this expands now rather than when signalled.
                                                 ^------^ SC2064: Use single quotes, otherwise this expands now rather than when signalled.

These variables are local, so immediate expantion is expected.

Rerun with updated nxd-relicense. This actually changes license text in
every file.

Before:

	W: caucase/__init__.py: cannot find license start
	W: caucase/_version.py: no copyright
	W: caucase/ca.py: cannot find license start
	W: caucase/cli.py: cannot find license start
	W: caucase/client.py: cannot find license start
	W: caucase/exceptions.py: cannot find license start
	W: caucase/http.py: cannot find license start
	W: caucase/http_wsgibase.py: cannot find license start
	W: caucase/storage.py: cannot find license start
	W: caucase/test.py: cannot find license start
	W: caucase/utils.py: cannot find license start
	W: caucase/version.py: cannot find license start
	W: caucase/wsgi.py: cannot find license start
	W: setup.py: cannot find license start
	W: shell/caucase.sh: cannot find license start
	W: versioneer.py: no copyright

After:

	W: caucase/_version.py: no copyright
	W: versioneer.py: no copyright

Add FOSS licence exception.
Fix copyright holder name.

Reduces backslash-doubling crazyness.

More consistent with address extraction.

Also, remove irrelevant key usage extension, as during certificate renewal
the extensions of the existing certificate are used, not the ones of the
certificate signing request.

Found by shellcheck.