IKEv2 NSS X509 test with various bits and flags toggled.

Note: dist_certs.py cannot generate some bogus certs because the underlying
openssl is refusing to generate those bogus certs. We need another tool for those.

certificate names (files) ending with "-bad" are supposed to fail validation. All
others are supposed to succeed using the NSS IPsec profile.

East always presents a proper certificate and uses %any for west so that instantiation
and followed Notify/Delete causes the instances to clean up without conflicting.
(using the regular IP for west, any second conn will fail. This is being copied to
another test case to resolve)

The certificate CN encdoes what non-standard operation was done on it:

-ku-	non-standard Key Usage specified (otherwise it contains only digitalSignature
-eku-	non-standard Key Usage specified (otherwise it contains serverAuth,clientAuth
-kuBOGUS- set a bogus KU OID [refused to be generatd by openssl, not tested]
-ekuBOGUS- set a bogus EKU OID
-kuOmit- don't include a Key Usage section
-ekuOmit- don't include an Extended Key Usage section
-kueMpty- include empty Key Usage section  [refused to be generatd by openssl, not tested]
-ekuEmpty- include empty Extended Key Usage section [refused to be generatd by openssl, not tested]
-kuCritical  make KU section Critical
-ekuCritical  make EKU section Critical

Current status:

Of those that we could generate with openssl:
   All validate according to the NSS IPsec profile, except:
       west-ekuCritical fails NSS IPsec profile but passes via fallback of TLS Client profile
       west-ekuCritical-eku-emailProtection fails NSS IPsec profile, TLS Client profile and TLS Server profile